Q

User awareness of social engineering

What should I tell my users about social engineering -- they are sales people.


Kudos to you and your organization for recognizing this vulnerability!

Spying (social engineering) is one on my favorite subjects and one which organizations (as well as the government) spend billions upon each year. (Social engineering is obtaining information or advantage through pretending, misrepresentation or "appropriation". Social engineering has been successfully used for centuries (remember Homer's Iliad?)). Sales people are one of the most vulnerable assets a company has. Yet they are also one of the biggest vulnerabilities because they are constantly on the move, taking valuable information with them, and they are paid to TALK. They must be counseled not only on what they verbalize but what they may leave behind in trash bins and electronically.

The loss of intellectual property through social engineering is staggering with no end in sight. As you well know, with successful social engineering, an organization can significantly reduce their research and development time and expense, or beat out competition by knowing the financial arrangements being proposed. Technical controls can be procured and implemented, but if the individuals do not use them, your system is vulnerable.

One of the best methods to reduce social engineering is through a well-instituted Security Awareness Program. Focus on acquainting the user community with the security function ("brand identification"). Incorporate the program into the individual's daily routines by providing non-participatory, non-structured and non-threatening reminders. Try give- aways (pencils, pens, sticky notes, etc.), videos, electronic messages, newsletters, tri-fold informational pamphlets and posters, to keep the security message in front of them. Employee security briefings also work well here.

Also focus on bringing an understanding of security principles through active and structured participation in computer-based and instructor- led security training. Promote understanding of security principles and terminology, personal responsibility in security, positive behavioral change and consistency and accountability in security.

By making your user community aware of the pitfalls, is to provide them with the tools they need to prevent the problem.

Another method is to draft your policies to prevent information dissemination through social engineering, and require security reviews with each sales person. Your policies should provide detailed security guidance on voice, written and electronic mechanisms. The policy should address critical risk areas such as electronic and handwritten dissemination and verbalizations. Further, your policies need to address each area of vulnerability within each risk area.


This was first published in April 2001

Dig deeper on Emerging Information Security Threats

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close