The weakest link in computing has been, and will always be, humans. You can keep on adding as many security features as you want, but there will always be someone there to mess up the system.
Evidence for this can be found in two recent polls found in the January 2006 edition of SC Magazine. They found that 62% of employees “send business related email from their personal email accounts thereby bypassing corporate account policies” (read SOX – Sarbanes-Oxley et al.), and 25% of respondents of another poll “admitted regularly forwarding corporate email messages to their personal accounts”.
My feeling is that a number of security initiatives out there are doomed to failure, not because of administrators’ technical abilities or the software, but rather because they ultimately fail to secure the weakest link, humble Homo sapiens.
Human beings are error-prone and tend to repeat mistakes again and again, and you don’t have to be a genius to fool a human being. Everyday, millions of phishing emails are sent all over the world and people are still caught with their pants down.
A recent AOL sponsored survey in the US amongst phishing targets found that nearly three quarters of those surveyed thought the culprit emails were real. The only way to fight back is through education: training, crash courses, seminars, whatever it takes to get the message through.