Good blog posts over at Episteme and Andy’s blog about employee awareness and social engineering. Teaching your employees not to trust people is a tall request that’s for sure! Most businesses are built by having employees trust each other…like Andy mentions, you have to teach them to “trust, but verify”.
I conduct social engineering tests on a regular basis and I can tell you from personal experience that it is just too easy to bypass security controls by talking your way in by coming up with a real good scenario. You will find that employees want to be helpful, almost too helpful at times…holding the door open for you so you don’t have to badge in, or giving complete strangers login credentials to applications are just a few examples. All it takes is someone with enough guts to look and play the part of a fellow employee to take advantage of human kindness that we all posses.
One thing that I advocate is to test your own employees. This does two things. First, it allows management to get an idea of how bad it really is! Seriously, once executive management sees the problem the easier it will be to communicate the issue with executive support. Secondly, it raises awareness with your employees..even if you target just a small segment of your employees. I would bet that the next time you conducted a social engineering exercise on that same segment, you would have different results. People always seem to remember when they were duped by someone else. Don’t forget that word about a social engineering “test” that was conducted spreads throughout the environment by word of mouth…all of this can be an advantage on the awareness front.
How do you test your own employees? Very carefully! Seriously, there may be many political boundaries that you will have to overcome which is all dependent on your company culture. Start with a small segment..like your own department if you are in Information Security! Yes, test your own people…you might be surprised by the results. A very low impact method to start with is to conduct a simple “phishing” simulation. Setup a simple web server and send out emails with embedded links to the web server you just configured. Track the results by parsing out the web server log of who clicked on the link. Strip out the IP’s so the results are anonymous in your report. You can then put together a quick awareness piece showing the high level statistics sent to everyone you targeted. Simple and effective.