Most of the times, it is the humans who are the weakest elements of security. One can say that it is relatively easier to hoodwink a human being than a machine. Hence, to have complete security, an organisation must not only safeguard its computers, but also its employees, from malicious manipulation.
A cunning social engineer can intrude a computer network or a security system, by just exploiting the human beings who “guard” or oversee the system. In this case, very little technical knowledge is required. This is the reason why social engineering poses such a big threat to organisations, especially those which have many workers working for them.
Therefore, there is a need to prepare office employees to thwart social engineering attempts and practice security procedures. This can only be done by proper training and monitoring of the employees. Security policies must also be enforced to forbid the employee from unknowingly doing something that puts the organization’s security at risk.
Many corporations have very good physical security, but they fail to see the importance of training their employees from accidentally divulging personal information (such as passwords) to cunning social engineers. Strong security policies will define what an employee can do or say to someone. Hence, if a potential hacker asks for some information that the policy forbids the employee from disclosing, the employee will have no choice but to deny the would-be hacker’s request.
Security policies must be focused and specific. Too many guidelines are only going to confuse the employees. Here is list of pointers pertaining to what a good security policy should do:
- Classify information according to their accessibility to people inside the organization.
- Implement a clearance level that defines who can access which data, equipment or physical location.
- Implement proper authentication processes to handle requests for password changes and other account related problems.
- Keep all rubbish in secured, monitored places.
- Shred all unwanted but sensitive data instead of simply crushing and throwing them in the dustbin.
- Proper procedures for employees to report breaches of security.
An organisation’s security training should span across the entire organization. All employees, whether they have computer access or not, must be taught to safeguard sensitive information. Here are a few things to keep in mind:
- All new employees of an organization must be made to go through a security orientation and must be introduced formally to the security policies of the company. Henceforth, ignorance will no longer be an excuse for getting into trouble.
- Refresher courses must be conducted, to keep the employees constantly aware of the risks involved in relaxing security.
- Make the training sessions interesting by using videos, news articles and brochures. These will help the employees to grasp the security concepts quickly.
It is not possible to have an eye out for everyone at all times but if and when an employee is caught jeopardizing the security of a company, he or she should be justly punished so as to set an example for the rest. Employers should also foster a positive work ethos so that employees do not see any reason to bring their company to harm.
Reference
Social Engineering Fundamentals, Part II: Combat Strategies
http://www.securityfocus.com/infocus/1533
Introduction to Security Policies
http://www.securityfocus.com/infocus/1473
How to Defend your Network against Social Engineers?
http://www.windowsecurity.com/articles/Social_Engineers.html
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci865450,00.html