User awareness of social engineering
What should I tell my users about social engineering -- they are sales people.
Kudos to you and your organization for recognizing this vulnerability!
Spying (social engineering) is one on my favorite subjects and one which
organizations (as well as the government) spend billions upon each year. (Social engineering is obtaining information or advantage through pretending,
misrepresentation or "appropriation". Social engineering has been
successfully used for centuries (remember Homer's Iliad?)). Sales people
are one of the most vulnerable assets a company has. Yet they are also one
of the biggest vulnerabilities because they are constantly on the move, taking
valuable information with them, and they are paid to TALK. They must be
counseled not only on what they verbalize but what they may leave behind
in trash bins and electronically.
The loss of intellectual property through social engineering is staggering
with no end in sight. As you well know, with successful social engineering,
an organization can significantly reduce their research and development time
and expense, or beat out competition by knowing the financial arrangements
being proposed. Technical controls can be procured and implemented, but if
the individuals do not use them, your system is vulnerable.
One of the best methods to reduce social engineering is through a
well-instituted Security Awareness Program. Focus on acquainting the user
community with the security function ("brand identification"). Incorporate
the program into the individual's daily routines by providing
non-participatory, non-structured and non-threatening reminders. Try give-
aways (pencils, pens, sticky notes, etc.), videos, electronic messages,
newsletters, tri-fold informational pamphlets and posters, to keep the
security message in front of them. Employee security briefings also work
Also focus on bringing an understanding of security principles through active
and structured participation in computer-based and instructor-
led security training. Promote understanding of security principles and
terminology, personal responsibility in security, positive
behavioral change and consistency and accountability in security.
By making your user community aware of the pitfalls, is to provide them with
the tools they need to prevent the problem.
Another method is to draft your policies to prevent information dissemination
through social engineering, and require security reviews with each sales
person. Your policies should provide detailed security guidance on voice,
written and electronic mechanisms. The policy should address critical
risk areas such as electronic and handwritten dissemination and verbalizations.
Further, your policies need to address each area of vulnerability within each
This was first published in April 2001