Ira Winkler is president of Secure Mentem and co-host of “The Irari Report,” and Dr. Larry Ponemon is chairman of the 3M-sponsored Visual Privacy Advisory Council and the chairman and founder of the Ponemon Institute.
Your workers are your most valuable asset. But they can also be your biggest security vulnerability.
Today, hackers are using social engineering to bypass technical safeguards – accessing sensitive information in new ways verbally, electronically, physically and visually. The specific tactics vary, but they all involve manipulating people to do something they wouldn’t otherwise do.
Phishing emails are the most prominent form of social engineering. The Anti-Phishing Working Group in March reported 84 million new malware samples were captured in 2015. And despite the fact that phishing attacks are a well-known threat, they continue to be successful. Nearly one in three workers today open phishing messages and about one in 10 click on attachments, according to Verizon’s 2016 Data Breach Investigations Report.
Social engineering can involve impersonation, such as someone posing as an IT help-desk technician or a delivery person, to gain physical or electronic access to sensitive information. It also can involve an employee persuading their fellow colleagues under false pretenses to give up sensitive data or network access, which is the method Edward Snowden used to gather classified material, Reuters reported Nov. 7, 2013.
The Importance of Good Governance
Social engineering most commonly involves exploiting companies that have poorly implemented policies and procedures in place, or lack them altogether.
Policies and procedures should define worker responsibilities and appropriate behaviors for dealing with potential social-engineering tactics. However, even the best policies and procedures can be futile if they’re not communicated properly to workers. This makes awareness training critical. Workers should understand the value of information they handle, possible threats to this information, and the policies and procedures in place for dealing with these threats first-hand.
For example, many companies have a policy against writing down passwords, but it is still common practice. IT managers should regularly walk through the building and see if policies are being followed.
Are passwords visually accessible? Are valuable documents left on desks or near printers? Can people see sensitive information on computer monitors? Training should be continuous and connected to the relevant issues observed during the walkthroughs.
Cybersecurity gaps can similarly be monitored. Conducting a mock phishing test can measure your workers’ behavior before an actual phishing scheme does. Those who fail the test can receive remediation training.
Adding Layers of Protection
Complete policy compliance among your workers is always the goal. But you should still plan for those instances where workers are compromised, especially as hackers continue to adjust social engineering tactics and seek new ways to exploit workers.
That’s why adding layers of protection as part of a defense-in-depth security approach is essential.
For example, privacy filters can help protect sensitive data displayed on computer and device screens by blocking unauthorized side views. Other important protection measures include implementing clean-desk policies, using password-protected screensavers and requiring that sensitive information be printed and stored in locked areas.
Regular penetration testing can help identify vulnerabilities in these areas, as well as other gaps, such as ineffective building security, poorly trained security personnel, and employees unwilling to confront strangers.
Paired with regular training, these cybersecurity measures and physical layers of protection can help thwart attacks from many different angles.
Take Charge of Your Security
Too often, a company will develop a sound security policy but fail to implement it. This can be a recipe for disaster against social engineering tactics that are only becoming smarter and more targeted.
After all, good security doesn’t result from wishful thinking or good luck. Rather, it’s the result of a good governance approach that both informs employees and drives their behaviors, with additional security safeguards providing added layers of critical security.