When thinking about information security, professionals all too often focus on implementing security controls based on the Open Systems Interconnection (OSI) model, a seven-layer guide detailing an architecture of data communications for networked computers. However, there is danger since any security control, no matter how complex the configuration, can be circumvented by an attacker who gains the information they need by simply asking.
Often considered “layer eight” of the OSI model, the human factor is our greatest vulnerability. While this form of attack is more of a self-serve buffet than an actual incursion, nevertheless it helps to attain what the criminal wants: information. The question is: If this is our greatest vulnerability, then why is it neglected? The answer is two-fold. IT staff acknowledge this is a weakness and throw their arms up in despair knowing the battle is futile. As well, these administrators often refuse to admit this attack can happen to them or their organization.
But, social engineering can and often does happen to organizations of all types The good news is this type of attack can be prevented using a combination of education and social engineering “employee audits.” Employee education at the time of hire, as well as periodically throughout the year, is vital to keeping successful social engineering attempts at bay. During training, employees will be introduced to what social engineering is, how prevalent it is, how some attacks are actually carried out, and what the impacts of a successful attack would be to the business and to them personally. The personal effects of social engineering can help to reinforce it as a conscious thought, even when off work and in a personal environment. Furthermore, random “auditing” that uses mock social engineering attacks should be applied to individuals or departments to confirm the training's effectiveness.
Information security is the duty of all employees – not just the IT staff – and we must all do our part to maintain the integrity of our organizations and their assets.