In the sys admin chagrin basket, users are the greatest source of our collective distress. Users click on phishing email messages, they download malware, they spend countless hours on those universal privacy leaks, known colloquially as social media sites, and they insist on trying to unravel our most sophisticated and well-executed security measures. In a word, users are a necessary evil.

We can't tie their hands. We can't unplug their computers or disable their WiFi connections. We can't place a force field around their laptops. And we can't seem to successfully educate them in the ways of safe computing. They are insiders and they are a persistent threat. And we can only hide for so long behind unanswered email, ignored phone messages, and the occasional walk by. We are doomed to deal with this insider threat and no amount of procrastination or advanced Jedi mind tricks will relieve us of our duty of protecting the user – even if it's from themselves.

Taking a soft approach to cybersecurity is one sure method of guaranteeing that you will experience a breach. You can't allow users to determine when they'll install Windows updates, when they'll decide to update their anti-malware software, or when to use multifactor authentication on web-based financial transactions. The soft security approach is better than any virus, adware, spyware, trojan, or worm at compromising your security. Hackers and advanced persistent threat (APT) organizations love IT and security folk who aren't serious about security. They love users who aren't trained. They love C-level executives who haven't been warned about whaling. And they really love systems that are behind on patches.

You can provide the latest and greatest security technology and spend hundreds of hours and tens of thousands of dollars per year on gadgets, on software, on third-party consultants, and on internal audits that will have absolutely no value if even one user clicks on some new email-borne malware, downloads some cracked software, or finds a USB drive on the sidewalk and inserts it into his computer. How will you explain these compromises to your upper management when they listened to your pleas for those gadgets, that software, those consultants, and that training you assured them would keep everyone safe?

"It's not my fault, it's the users."

Yes, that statement should go over well. Lead with that. The conversation should take a different direction when you do. Happy job hunting! A better approach is to say, "Yes, we have everything in place, but the threat landscape is huge, ever-changing, and becoming more sophisticated. It's a constant challenge." This conversation removes you from having to explain, to apologize, or to dust off your résumé.

The solution is to educate your users. And education is ongoing. It's not as simple as providing those annual, five-minute click-through training scenarios to satisfy regulatory requirements. You must take each department and train them in small groups. Accounting has different needs than human resources, and shipping and receiving has far different security issues than your C-level executives.

You must tell them what you want them to do and what you do not want them to do. It's a process that never ends. Send out monthly reminders and tips. Encourage your users to become good security stewards. Enable them to forward any suspicious email to your staff or to the help desk to have them checked out. Teach them how to use their Junk folders and how to send email to it. I won't apologize for telling you that you must engage your users. You should speak to them in a calm, mature manner. This isn't the 1990s, when IT people could wave users out of their chairs to fix a problem and brow beat them during the journey. Yes, users are more sophisticated now and so are the attackers. It's not a safe computing world out there – or inside your network. Users are not stupid or incompetent because they aren't trained to be awesome security Ninjas like you. They are users. It's your job to ensure that they don't become insider threats.

Ken Hess * ADMIN Senior Editor