Most companies realize that you can spend millions on network security but one of the biggest gaps is the employee. The human element of a workforce can easily be exploited once you understand the basic psychology of human behavior. Most people at their very core simply want to be helpful. People generally want to be nice and are often concerned about what people think of them. We see this time after time when we are doing a social engineering engagement for our clients. Do you want to get into a locked door – load up with boxes and follow an employee, “Oh – can you hold that for me?” Really – who wants to be the person that says, “No – put down those boxes and struggle with it yourself.”? Looking for a password – phishing emails are all too easy to the naturally trusting person. With basic precautions the email looks legitimate, and many will click the email and, in the process, load malware giving a malicious actor full access to their computer. Physical security – many times this is a false sense of security. Often times security guards are hired for low wages and without extensive training. Certainly this is not always the case, but many times it is. While the visual effect of a security guard can be a deterrent, to the experienced person seeking to infiltrate your business it’s often a mild annoyance that simply requires a little more surveillance and planning.
One of the best ways you can strengthen the human element is to test the human element. Whether this is through an outside company or internal tests. People respond to real-life examples. You can teach seminars and send emails about social engineering with somewhat limited results. However, when someone actually falls for an infiltration scam, and they later find out it was a test and are told the results of the actions of the person who infiltrated the company – that lesson sticks.
Many times employees don’t understand the critical role they play in the security of your business. However, once they see first hand the potential results of their actions, it becomes much easier to tell the person with the boxes that they must go to the front door and sign in. It becomes more comfortable to call your IT department about an email – even if it seems to be okay.Regardless of your industry, real world testing simply makes your business stronger. What will you do this month to help your people learn how critical they are to your security?