10 reasons why users are the biggest threat to your company’s IT environment

Your people are one of your company’s most valuable assets, but unfortunately users can also be one of your biggest threat when it comes to securing your IT environment. Of all the threats to your business, your own users are perhaps the most unpredictable. Some go out of their way to cause trouble, but even those who mean well can still create plenty of headaches for the IT team. Here are 10 human weaknesses which mean that users will always pose a threat to your IT environment.


1. Forgetful

Users regularly forget passwords, with password problems accounting for 20 to 30 percent of all IT service desk volume, according to Gartner. A culture of regular password resets also puts the security of your IT environment at risk, with attackers using bogus password reset requests as an attack vector to get a foothold within the business.

2. Lazy

Users can be lazy, sometimes to compensate for the fact that they’re forgetful. They choose weak passwords and do foolish things like reuse passwords. The theft of 68 million Dropbox login credentials in 2012 was traced back to the fact a Dropbox employee had reused a corporate password on their LinkedIn account. Lazy users also do foolish things like writing passwords on post-it notes stuck to their monitor.

3. Busy

To make things worse, time-poor users can also leave your IT environment exposed by forgetting to do simple things like install important software updates and security patches.

Want to learn more about the threats posed by users? Read more in the Nexus Group e-Book The State of IT Security 2018.

4. Clumsy

Users are always losing and break things, especially notebooks, smartphones and tablets. They leave devices in hotel rooms or lose them conferences, oblivious to the fact they’ve lost sensitive business information which you wouldn’t want falling into the hands of your rivals.

Users are also prone to losing security passes, two-factor authentication tokens and other items which can put your entire IT environment as risk.

5. Rebellious

Users don’t like being told what to do, so they’re always looking for ways to bypass your efforts to secure the IT environment. This includes using unsecured personal devices to handle sensitive business data, along with setting up “shadow IT” systems to work outside your official IT environment.

6. Nosy

Curiosity can get the best of people and nosy users can mean trouble. Privileged users can abuse their access to sensitive information and in the process increase the risk of that sensitive information leaking from your IT environment.

7. Gullible

Users fall for simple scams like phishing malware attacks that masquerade as unpaid bills or outstanding fines. They’re too quick to click on a malicious link or open an infected attachment – exposing the entire IT environment to the risk of cyber attack.

8. Vulnerable

Even savvy users are still vulnerable to sophisticated attacks, such as well-crafted spear phishing emails which look very convincing. Users are also vulnerable to Business Email Compromise scams, where attackers infiltrate your email system to impersonate senior staff and ask users to hand over sensitive information or transfer funds to offshore accounts. More than 90 percent of cyberattacks and resulting data breaches begin with spear phishing emails, according to cyber security firm Cofense.

9. Greedy

Greedy users might be looking for a way to make a quick buck on the side, whether it’s by embezzling money, selling trade secrets or providing access to your IT environment. Around 35 percent of workers would sell private company data if someone offered them the right price, according to research from Trend Micro.

10. Disgruntled

Disgruntled users are especially dangerous because they’ll go out of their way to create trouble and compromise your IT environment. Users holding a grudge might get greedy but, rather than financial reward, others are out to simply cause as much damage as possible from within.

Download E-book: The state of IT security 2018