In the pantheon of catchy cybersecurity slogans that should never have caught on, two about social engineering spring to mind almost immediately: “End users are the weakest link” and “attackers only have to be lucky once; defenders have to be lucky all the time.” Both of those statements have been repeated by practitioners for time immemorial and seem to make sense superficially, but should we be comfortable with the onus we put on end users to overcome the deficiencies of our defensive systems?
In 2019, with cyberthreats on the rise and breaches increasing in both frequency and magnitude, is it anything other than feigned impotence to claim that a roll of the dice and a potential, stupid (albeit very human) mistake is all that is keeping any given organization from being the next Maersk, Equifax or Capital One? Are we comfortable acknowledging that our defenses are so brittle that they can be shattered with one errant click? We certainly shouldn’t be.
Indeed, even when end users do exactly what they’re told they should, it may still not be enough. It’s hard to forget what is perhaps the most spectacular and consequential example of successful social engineering: