"Social engineering has become about 75% of an average hacker's toolkit, and for the most successful hackers, it reaches 90% or more."Breaching a firewall is hard; impersonating tech support over the telephone is easy. Few motivated hackers planning an attack on a target will try technical means right from the outset. They would much prefer to hack people than servers. A big part of the answer to this problem is, obviously, training. Far too many organizations seem to have a policy along the lines of “screw up and you’re fired, and we’ll let you know when you’ve screwed up,” but this does not absolve IT professionals from all responsibility. Let’s look at a few measures that can be easily implemented.
Sensible Access ControlsIn general, sharing information freely is good, but does every employee really need to have the router admin password? At the other extreme, one scientist friend told me that her work firewall actually stopped her from accessing the category “Science and Technology.” In this case, she simply pointed out the problem to IT, but depending on the person and circumstances, she might equally well have used a re-router. If rules are pointless, employees will circumvent them, turning access policies on their head. You need a written information policy that will ideally be both short and comprehensive. For instance, the accounting department needs to be able to see the client database, but does everyone down to the receptionist?
Empowering EmployeesConsidering the previous item, this might seem contradictory. The point is that hackers exploit people’s anxiety when faced with an authority figure, like a company director or lawyer. If employees aren’t confident enough to refuse a request, the hacker will succeed. Standard practice in many organizations is not to take any but the most routine telephonic requests lightly; whoever takes the call asks for a name and company – not a number, which is looked up to phone the person back. This way, you know they work where they say they do.
Continuous ReinforcementSome kind of formal, mandatory training is certainly a good idea, but forcing people to sit in a room for an hour and be talked at is not likely to make them enthusiastic converts. Printing a hundred mousepads with reminders about email attachment and pen drives costs less than you might think, while a short weekly email highlighting case studies can also be effective.
Social Media HygieneMost people will post their holiday destinations and the names of their children’s schools without a second thought. The problem with this comes when a hacker pretends to know him. Most people will be too embarrassed to ask who the heck they’re talking to. By all means use Facebook, but be aware of the potential risks and think about how you can navigate social network securely.
Outside HelpIf you have the budget for it, this can be a valuable option, perhaps taking the form of a round of pen testing followed by a seminar. Apart from seeing how easily a stranger can obtain inside information, training done by an outside group is generally viewed in a completely different light.
ConclusionMany of those who fall for scams and schemes are intelligent, well-educated people who simply didn’t understand the risks. The desire to help out is a noble and very human impulse – the trick is to make sure that the wrong kind of people don’t receive potentially damaging information without creating an atmosphere of distrust. If workers and management don’t feel that they can count on one another, this may actually hurt your security by making employees think “damned if I do.” Depending on your industry, you might need to consider even otherwise over-the-top attacks like blackmail. A supportive atmosphere enables people to ask questions when something seems “phishy,” as well as preventing some of the most damaging attacks, that is, from the inside.