If there is one thing that is tough to prevent, it is a person whose curiosity overrides their better judgement. Human nature leans toward discovery. If someone believes a valuable piece of information is available, there’s a very good chance she will satisfy her curiosity.
Social engineering, the process of obtaining confidential information through tricking people to do things they should not do; is on the rise. So how can you help your staff recognize social engineering before it’s too late?
Here are a few tips:
1. Create a process for validating outside inquiries.
Often, an attacker has done their homework in obtaining certain pieces of information such as having another employee’s name or their calendar to establish credibility. Create a process for inquiries, making someone the gatekeeper for such calls. Tell staff to not give out confidential information before checking with the gatekeeper.
2. Secure access into the organization.
Does your organization have guards? If not, it is the job of every employee to be alert to outsiders.
Name badges are another way to do this and require everyone to keep it visible. Explain to staff that it is perfectly legitimate to say, “I’m sorry, who did you say you were with again?” Teach awareness through fun exercises and safety posters.
3. Train staff to resist picking up strange USB keys.
This is difficult because it is where a person’s curiosity can get the best of them. However, a person has no idea what is on a found USB key. Would they eat food left on the floor of the kitchen? (Some, unfortunately, might!) Why would anyone take a found USB key and plug it into their computer? Curiosity. Create an incentive program for employees to return found keys to an IT administrator.
4. Fine tune a sense of good customer service.
Most people are helpful. This helpful nature is especially nurtured by organizations who want to provide good customer service to both internal staff and external contacts. Attackers take advantage of this by insisting that it would “be very helpful” if they could get someone’s confidential information in order to do their job. Train your staff to stick to the plan of verifying all inquiries by going through the proper channels. Help employees understand that this approach is truly the most “helpful” since they’ll be saving the company countless dollars if it’s an attack.
Consistent awareness is the key to resisting social engineering attacks. Use these tips and decrease your probability of an attack. Stay safe!
Is your staff getting pwned by social engineering? Educate them to say “no” to potential risks. http://t.co/cph9V69E #security
4 Tips for Teaching Your Staff About Social Engineering:
FB.Event.subscribe(‘edge.create’, function(respon… http://t.co/CQS2Y2jZ
Can you share any fun security exercises and posters?
We have used some freeware tools to make crossword puzzles, word searches and the like and then offered movie tickets as a raffle for those that have completed them. Have the puzzles reinforce key security concepts.
Some clients have worked with us to develop reward programs for employees who spot and report anomalies and log entries that the security team should focus on.
In terms of posters, they are generally ineffective. Instead, we would suggest multimedia engagement – such as podcasts, quick videos and role playing exercises. These more active engagement processes go a lot farther in bringing awareness to the user population. Reach out to me on Twitter (@lbhuston) if you want to discuss specifics or your particular user base.