HomeNews and EventsPEM NewsAre your staff your weakest security link?

Are your staff your weakest security link?

23 Aug 10

You’ve put up firewalls and installed the latest patches and security software so your computer systems are safer than ever before. But could it all be jeopardised by your employees?
 
Recent tests have shown that most company employees will give up sensitive company information when simple social engineering tactics are used on them. Social engineering involves the use of psychological techniques to gain people’s trust and manipulate them into divulging the desired information.

During last month’s DEF CON 18 Hacking Conference in Las Vegas, Nevada, Social-Engineers.org invited ordinary people to use social engineering tactics to elicit specific pieces of information from target companies. The results were frightening: of the 140 company employees telephoned by the amateur contestants, only five refused to give up the information requested.

So how do you secure your organisation’s employees against this kind of activity? 

Staff awareness and training are key.  Make your employees aware of the threat that social engineers pose, and give them a clear set of policies for dealing with information requests:

  • Check the caller’s identity. Get as much information about the caller as you can. Ask for the caller's name, the name of the company they work for and a number where you can return their call.
  • Never give up information immediately. Beware of information requests that are framed as “urgent” or “time-critical”. Making victims feel pressured into making bad decisions is a key social engineering tactic. If you aren’t sure whether you should give the information up, take the time to ask a manager for confirmation.
  • Beware of escalating requests. Social engineers will often begin with a reasonable request and scale up from there to test their victim’s tolerance level. If you find yourself divulging more and more information, terminate the call.
  • Avoid getting personal. Resist the urge to trust callers who are especially friendly and open about sharing personal details with you. This is a common technique used to get people to share their own information.

If you are worried about protecting your data, speak to PEM IT Services today about an Information Risk Management Review.  This will assess the risks of data leakage from your organisation and provide you with guidance and help on how to protect against them.  You can contact PEM IT Services on 01223 728 205 or email it@pem.co.uk.