Chapter 15. Information Security Awareness and Training

a social engineer has been given the assignment of obtaining the plans to your hot new product due for release in two months. What's going to stop him?

Your firewall? No.

Strong authentication devices? No.

Intrusion detection systems? No.

Encryption? No.

Limited access to phone numbers for dial-up modems? No.

Code names for servers that make it difficult for an outsider to determine which server might contain the product plans? No.

The truth is that there is no technology in the world that can prevent a social engineering attack.

SECURITY THROUGH TECHNOLOGY, TRAINING, AND PROCEDURES

Companies that conduct security penetration tests report that their attempts to break into client company computer systems by social engineering methods are nearly 100 percent successful. Security technologies can make these types of attacks more difficult by removing people from the decision-making process. However the only truly effective way to mitigate the threat of social engineering is through the use of security awareness combined with security policies that set ground rules for employee behavior, and appropriate education and training for employees.

There is only one way to keep your product plans safe and that is by having a trained, aware, and a conscientious workforce. This involves training on the policies and procedures, but also—and probably even more important—an ongoing awareness program. Some authorities recommend that 40 percent of a company's ...

Get The Art of Deception: Controlling the Human Element of Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.