Ask the Expert

User awareness of social engineering

What should I tell my users about social engineering -- they are sales people.


    Requires Free Membership to View

Kudos to you and your organization for recognizing this vulnerability!

Spying (social engineering) is one on my favorite subjects and one which organizations (as well as the government) spend billions upon each year. (Social engineering is obtaining information or advantage through pretending, misrepresentation or "appropriation". Social engineering has been successfully used for centuries (remember Homer's Iliad?)). Sales people are one of the most vulnerable assets a company has. Yet they are also one of the biggest vulnerabilities because they are constantly on the move, taking valuable information with them, and they are paid to TALK. They must be counseled not only on what they verbalize but what they may leave behind in trash bins and electronically.

The loss of intellectual property through social engineering is staggering with no end in sight. As you well know, with successful social engineering, an organization can significantly reduce their research and development time and expense, or beat out competition by knowing the financial arrangements being proposed. Technical controls can be procured and implemented, but if the individuals do not use them, your system is vulnerable.

One of the best methods to reduce social engineering is through a well-instituted Security Awareness Program. Focus on acquainting the user community with the security function ("brand identification"). Incorporate the program into the individual's daily routines by providing non-participatory, non-structured and non-threatening reminders. Try give- aways (pencils, pens, sticky notes, etc.), videos, electronic messages, newsletters, tri-fold informational pamphlets and posters, to keep the security message in front of them. Employee security briefings also work well here.

Also focus on bringing an understanding of security principles through active and structured participation in computer-based and instructor- led security training. Promote understanding of security principles and terminology, personal responsibility in security, positive behavioral change and consistency and accountability in security.

By making your user community aware of the pitfalls, is to provide them with the tools they need to prevent the problem.

Another method is to draft your policies to prevent information dissemination through social engineering, and require security reviews with each sales person. Your policies should provide detailed security guidance on voice, written and electronic mechanisms. The policy should address critical risk areas such as electronic and handwritten dissemination and verbalizations. Further, your policies need to address each area of vulnerability within each risk area.


This was first published in April 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: