What do you think poses the most danger to business security? If you think it’s a hacker hiding is his basement or a masked thief, you would be wrong. The most dangerous attack doesn’t appear to be an attack at all. It comes in the form of a charismatic, normal looking human.
What is this attack? Well, I’m sure you could guess that social engineering is to blame.
Alright, you know that. What you might not know is “why”, and what that means for business security. To understand that, we first need to look at the damage social engineering causes, without getting into specifics.
Social engineers can compromise entire systems, steal valuable personal information, and a variety of other things to damage business. These attacks can cause businesses to lose money and customers. Next, we need to find out why these attacks happen.
Social Engineering attacks are more successful than any other attacks because they focus on the human element. This means instead of trying to break through expensive firewalls, they call and ask the secretary for a seemingly simple favor. Humans are the weakest link in any security system. They are the most vulnerable. Furthermore, the element of human security is the most overlooked. By overlooked I mean not addressed at all.
Most Vulnerable? Human Security, again.
The human security element is the most vulnerable because humans can be manipulated the easiest. We know what the problem is, now what do we do about it? First you have to realize that the human element is unlike any other type of security, physical, network, etc. This means you can’t just throw money around and expect to be secure. Additionally, those who have realized they need to address the human security element have done so poorly. They think you can just show someone a video and make it all better. As if showing an employee a video they don’t want to watch in the first place will make them not only understand the danger, but also show them how to mitigate the risk. Nope, hardly likely.
What to do about it?
Well, then what does one do to solve this problem. The answer comes in a three step approach. Discovery, Education, and Awareness. This leads to the ability to handle attacks and danger, which in turn leads to security and peace of mind.
First, you need to open the eyes of those who you are training. They need to understand there is real and present danger out there. Without doing this, nothing else you try to teach will be of any significance to them. Second, you need to educate employees about this risk and the threats it poses. They aren’t meant to be scared by education, but to be given wake up call. “Hey, this isn’t just stuff we have to tell you, it can and will happen. If you don’t handle it correctly, we face major problems.” Third, you need to create a culture of awareness, to act as a web of security. This “web” will be ready to identify and handle attacks accordingly whenever it happens. Because it’s not a matter of “if”, but “when”.
There are a variety of ways you can go about this human security training, but remember, it is unlike any other form of security. It requires much more time and understanding. It will be well worth it though, considering the human element is the most dangerous yet overlooked element of security.