You’ve invested in best of breed technology to secure your network, you are confident that you are following best practices for IT security, and you may have recently passed a compliance audit. But have you tested what is potentially the weakest link in your organization – your staff?
You may ask how that could be with all the security training you provide and the constant barrage of news articles related to breaches. Surely they must understand how critical it is to follow your processes and protect your data and reputation. Yet a recent report from the Associated Press confirms that an estimated half of report cyber breaches were caused by (or unwittingly aided by) inside staffers.
This is why we incorporate social engineering into our security engagements. It’s great to confirm that technical protections are in place, but to truly measure how effective they are, we need to test the “carbon based” systems as well – your people. In a recent engagement we sent 2,000 phishing emails, complete with misspellings to mimic the emails shown as examples in the staff’s security awareness training. Over 300 staff responded to our emails with the login and password information. In another, one of our agents was able to gain access to a data center by calling another of our staff members from his cell phone and handing the phone to the security guard to have the staffer pretend to be with the internal IT department and approve entry.
Although the results can be sobering, the first step toward having a true culture of security is to test it and confirm the current state, then share the results with the staff to help them understand that this time the hackers were working on their behalf, but next time could be an actual breach. An organization that we were able to freely enter and remove 3 laptops full of unencrypted data in the past successfully past this year’s unannounced attempts by following their procedures to the letter. We can also help identify where controls may be able to protect from human error.
Bottom line – if you haven’t incorporated social engineering into your security testing, you have not truly tested your security.