Social Engineering - Mitigating Your Risk

As we look into 2016 and what trends are going to take place this year in the world of Information Security, there is one thing that we can predict with significant confidence: Employees will remain the biggest threat to your Information Security Program and ultimately the safety of the sensitive data that your organization holds on their network. This is not meant to be negative in any way, rather it is simply a fact of doing business in the 21st century and as we move more and more things to the Internet. We can invent the greatest technology in the world but at the end of the day, there is a person somewhere in the chain of command that has to manage that technology and make sure it is configured correctly. Likewise, there are people in your organization who will be the targets and subjects of phishing and spear phishing attacks which ultimately could compromise the security of your data. None of these are malicious acts by your employees but simply consequences of the way that we do business today. How do we change this? How to we mitigate the threats associated with the human element of Information Security? 

I am sure you are familiar with the term Social Engineering, but have you ever considered what this term really means? According to KnowBe4, Social Engineering can be defined as the art of manipulating, influencing, or deceiving you (employee) in order to gain control over your computer system. Social Engineering attempts are considered an art. That, to me, is pretty scary. To me, that indicates that the perpetrators of these types of attacks take pride in their work and use many different strategies or concepts to perfect their work, ultimately tricking an employee into giving up the keys to the kingdom and access to your sensitive, confidential data. How can we prevent or mitigate the chances of these attacks from taking place in your organization? Here are a couple of ideas and places to start:

• Social Engineering Assessments - You have to start somewhere and there is really no better place than starting with an assessment of your current position. Can someone walk into your organization and gain access to your server room? Can someone call your accounts payable clerk and pretend to be an IT person from your company and install Malware on their computer? Can I send your CFO a bogus UPS invoice that contains a link to install Malware or Ransomware on their computer? The only way to find out is to conduct an assessment to see what you're dealing with and proceed from there
• Create a Culture of Security - You are probably asking what that possibly could mean? When your employees see a strange person trying to gain access to the server room, do they feel confident that they can ask/confront that person as to what they are doing? When that accounts payable clerk gets that call from IT to install programs on their computer, can they ask for some form of verification that they are in fact from the company? Empower your employees to ask the questions that most are afraid to ask. This doesn't have to be confrontational at all but it needs to be done to build that culture of security in your company. Hackers and thieves go for low hanging fruit and the path of least resistance. Allow your employees to put up some resistance to something that doesn't quite feel right
• Test, Test, Test - This goes along with points 1 and 2 above. Test your employees on a regular basis. It is great that organizations have their employees take Security Awareness Training but what good is taking a 45 minute class if you don't put any of the information to use? Does the training say not to share your password with anyone else or post it in a public spot? Open a few desk drawers to see if there is a password sitting there. Does the training say not to click on suspicious links in emails? Send some suspicious links and see what percentage of your employees click on the link. Education is a great starting point but the application of what they learned will go a lot farther in protecting your sensitive data

As a part of the Compass IT Compliance Webinar Series, the topic for January is Social Engineering and looking at the human element of Information Security. This is a free, 30 minute educational webinar that is designed to share information with you so you can protect your data and keep your confidential information safe. Click on the link to register below, here are the details:

What: Social Engineering: Understanding the Human Element in Information Security

When: January 21st at 1:00 PM EST

Duration: 30 Minutes plus a Q&A Session

Where: Online, Register Below

Cost: FREE

Thanks and we can't wait to share some key strategies to help you and your organization mitigate your risk related to your employees!