Study: End users still the biggest hole in IT security