What started as a sales pitch turned into a slogan and is now axiomatic in some circles.  “Your people are the weakest link.”  More and more people are recognizing how wrong-headed that is but in the hopes of accelerating the demise of this phrase, let’s actually look at it.

Consider the technical controls most organizations have against phishing attacks:

1. A secure email gateway/a spam filter that blocks phishing emails
2. A web filter that blocks users from getting to known bad sites
3. Anti-virus/anti-exploit software that blocks malware from running; perhaps more than one solution is running
4. Any number of other network checkpoints that can keep a URL from being reached
5. A technical solution inspecting packets or analyzing netflows
6. Systems patched regularly to protect against known vulnerabilities

You’ve got all that running and the user gets an email, clicks on a link and there’s malware on your network.  You can be dis-satisfied with your technical controls for failing to block the email, the URL, the package, the exploit, the attachment, etc. but then you have to explain to the CFO why they’re writing those big checks.

Better idea: look at the ground, shake your head and say “people are our weakest link.”  takes the blame right off the technical controls.  And your incident response follow-up is all about the users.  Root cause: THEY clicked.  Action plan: teach THEM not to be fooled.  Think of all the systems that had to fail miserably for the hacker to be in a position to exploit your user.  Think of the fact that those systems are all marketed as focused on security whereas your users have other jobs to do as well.   People are your last line of defense when your pristine security stack gets breached by a clever exploit.

The next time someone tells you people are the weakest link, ask them why the people were exposed to the exploit in the first place