Social Engineering and Employee Engagement
I was reading a post by Mike Murray today about Social Engineering and awareness in business. (full disclosure: Mike is my husband, in addition to being a respected blogger) When I got to the end, I thought, wait! there is more to it!.
The problem with this is simple: an agile, responsive and successful business is built on a lack of boundaries and a healthy set of organizational trust. The kind of mistrust that most infosec people would engender intentionally in their users would cause significant inefficiencies within most organizations.
So, if we’re not teaching our users to not blindly give out information, or to verify everything, what do I think we should be teaching them?
Instinct. Most who are in infosec have developed an instinct for when things “don’t smell right”. When an email just seems a little bit “phishy” (pun intended).
It is not just about trust or mistrust. One of the deeper issues is- what motivation the employees have to act on instinct, or suspicion? Why would they want to protect the company against social engineers? An employee who does doesn’t care much about their job and only comes in for the paycheck probably won’t be putting too much effort into protecting the company’s information. However an employee who is engaged, feels like a valued member of the team (at large) and understands the hows and whys will most likely be the hardest ones to “break”.
The people at the front lines (admins, reception, etc) are often the ones who have the most power to give out information, names, and/or open the door. These are also often the employees who are given the least attention, training and respect. Encourage your employees to ask questions when something doesn’t “smell right”! Congratulate them when they are successful protectors. Above all, remember perceived value goes full circle.
