Users remain the weakest link in all things security and paying lip service to security education just doesn't work. Federal workers, contractors reportedly behind many cyber breaches -- often by accident | Fox News No surprises there. If you have a weak security policy, you're going to have users doing anything and everything on your networks. Most companies (and some government agencies) have training programs that are either non-existent, or do little to actually train users. It's more of a "check the box off" thing than a real attempt to ensure users understand the ramifications of lax security in the workplace. 4 Scary Truths We Observed During National Cyber Security Awareness Month If there are no repercussions when users screw the pooch, users aren't going to give a shit. And this starts at the top of the corporation and filters down. If the CEO doesn't care, and is seen day after day circumventing AUP policies for the company, do you think the rank and file are going to toe the line as well? IT departments have a thankless job, and when the bosses themselves are the worst offenders when dealing with security issues, it's time for a rethink on the chain of command and how security enforcement is handled within corporations. At least within the government, there are methods to get things fixed. But on the civilian side, most CEOs don't care. All they want is the IT department to bow to their will, security policies be damned. And if you rock the boat or refuse to circumvent policy, guess who's looking for a new job? I'll give you a hint, it's not the CEO. Policies need to be put into place that allow IT departments to question management practices without fear of getting sacked. And if CEOs insist on circumventing policy, there needs to be a way for those who are in charge of security to approach the Board of Directors to ensure best practices are followed by all in the corporate environment. Security isn't easy. And most users look at it as a hindrance to the job. Even the most common sense policies are often questioned by those in the trenches (as well as the idiots at the top). This is why a comprehensive security education program is paramount if a company really wants to succeed at keeping the bad guys out of their networks. All the best tools in the world will amount to zip if your users don't understand fully why things are done the way they are, and the consequences if those policies aren't followed.