Social Engineering and Your Organization’s Future

Most organizations pay a high price to keep their data secure, including upgraded firewalls, routers, Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS), web filters, and security information and event management (SIEM). These devices and the cost of managing these devices cost organizations upwards of tens of thousands of dollars. As IT professionals, we tend to build a huge defense and incident response program without completely knowing how our biggest risk will respond under pressure.

Most people are aware that an organization’s largest risk by far is their employees. The cost of a ransomware incident or breach could have the potential to close small and mid-size organizations. Most organizations at the very least will do annual security awareness training for their employees. It is usually mandatory and employees will sign off on their attendance. The next day it is business as usual.

IT professionals need to stop treating security awareness training as a patch or update on software and hardware. Employees are living breathing finicky clickers and what they click on depends on what they ate for breakfast and/or their current relationship. Our largest challenge as IT professionals is installing smart security standards into daily living for employees. An unsecure employee outside of work is an unsecure employee at work. What you do under pressure has to be second nature, a learned activity.

When I am 20 feet up in a tree pulling back on my bowstring on a 10-point buck, I am no longer thinking about technique. Technique has to have been a learned activity through hours of practice. There is a difference between shooting a buck and shooting a target. If security is not a learned activity, get ready for a breach or ransomware, because you have been lucky so far. Are your employees’ good security habits second nature or only good when they are in the right mindset?

Social engineering through a third party penetration tester is a fantastic way to know if your employees are just signing the paper at the mandatory employee security awareness training or if security has become a learned activity. Another useful activity is to constantly phish employees using a software such as ThreatSim Simulated Phishing Attacks. Please do not get a false sense of security if your employees do a great job with substandard phishing attempts. The attackers are sophisticated and the emails will look real.

What is your organization doing to make sure security is a learned activity?

For more information on IT security or to discuss social engineering further feel free to reach out to Dave Hammarberg, Principal and Director of Information Technology.