Information Security Awareness and Training

A social engineer has been given the assignment of obtaining the plans to your hot new product due for release in two months. What's going to stop him?

SECURITY THROUGH TECHNOLOGY, TRAINING, AND PROCEDURES

Companies that conduct security penetration tests report that their attempts to break into client company computer systems by social engineering methods are nearly 100 percent successful. Security technologies can make these types of attacks more difficult by removing people from the decision-making process. However the only truly effective way to mitigate the threat of social engineering is through the use of security awareness combined with security policies that set ground rules for employee behavior, and appropriate education and training for employees.

There is only one way to keep your product plans safe and that is by having a trained, aware, and a conscientious workforce. This involves training on the policies and procedures, but also—and probably even more important—an ongoing awareness program. Some authorities recommend that 40 percent of a company's overall security budget be targeted to awareness training.

UNDERSTANDING HOW ATTACKERS TAKE ADVANTAGE OF HUMAN NATURE

To develop a successful training program, you have to understand why people are vulnerable to attacks in the first place. By identifying these tendencies in your training—for example, by drawing attention to them in role-playing discussions—you can help your employees to understand why we can all be manipulated by social engineers.

Manipulation has been studied by social scientists for at least fifty years. Robert B. Cialdini, writing in Scientific American (February 2001), summarized this research, presenting six "basic tendencies of human nature" that are involved in an attempt to obtain compliance to a request.

CREATING TRAINING AND AWARENESS PROGRAMS

Issuing an information security policy pamphlet or directing employees to an intranet page that details security policies will not, by itself, mitigate your risk. Every business must not only define the rules with written policies, but must make the extra effort to direct everyone who works with corporate information or computer systems to learn and follow the rules. Furthermore, you must ensure that everyone understands the reason behind each policy so that people don't circumvent the rule as a matter of convenience. Otherwise, ignorance will always be the worker's excuse, and the precise vulnerability that social engineers will exploit.

The central goal of any security awareness program is to influence people to change their behavior and attitudes by motivating every employee to want to chip in and do his part to protect the organization's information assets. A great motivator in this instance is to explain how their participation will benefit not just the company, but the individual employees as well. Since the company retains certain private information about every worker, when employees do their part to protect information or information systems, they are actually protecting their own information, too.

TESTING

Your company may want to test employees on their mastery of the information presented in the security awareness training, before allowing computer system access. If you design tests to be given on line, many assessment design software programs allow you to readily analyze test results to determine areas of the training that need to be strengthened.

Your company may also consider providing a certificate testifying to the completion of the security training as a reward and employee motivator.

ONGOING AWARENESS

Most people are aware that learning, even about important matters, tends to fade unless reinforced periodically. Because of the importance of keeping employees up to speed on the subject of defending against social engineering attacks, an ongoing awareness program is vital.

One method to keep security at the forefront of employee thinking is to make information security a specific job responsibility forevery person in the enterprise. This encourages employees to recognize their crucial role in the overall security of the company. Otherwise there is a strong tendency to feel that security "is not my job."

WHAT'S IN IT FOR ME?

In addition to security awareness and training programs, I strongly recommend an active and well-publicized reward program. You must acknowledge employees who have detected and prevented an attempted social engineering attack, or in some other way significantly contributed to the success of the information security program. The existence of the reward program should be made known to employees at all security awareness sessions, and security violations should be widely publicized throughout the organization.

On the other side of the coin, people must be made aware of the consequences of failing to abide by information security policies, whether through carelessness or resistance. Though we all make mistakes, repeated violations of security procedures must not be tolerated.