to be helpful,” says Joan S. Hash, group manager for information security at the National Institute of Standards and Technology (NIST) in Gaithersburg, Maryland. “Social engineers take advantage of people’s desire to be helpful.” This, of course, makes it easier for them to compromise your organization — and your employees. Hash cites a case in which a husband was searching for his estranged wife: “Through social engineering, he was able to get the name and address of her new employer. He tracked her down and beat her up badly.” The type of damage social engineering causes can run the gamut from downed networks, identity theft, or equipment theft — even terrorism, says Hash.
WHAT TO DO NOW
The best defense against social engineering is education, says Andrew A. Ryan, CEO of Andrew Ryan Consulting, Inc. of Alexandria, Virginia (www.andrew ryanconsulting.com), and currently IT consultant for the National Society of Black Engineers (www.nsbe.org) also in Alexandria. “IT personnel should not assume that end-users are as adept at recognizing technological risks as they are. Therefore, it’s really important to educate your end users that these things can happen.”
One way to do this in a small company is to identify a “point person,” someone in charge of what happens to the system. “In a larger organization, there needs to be a more efficient process for validating the authenticity of an individual. It may be as simple as issuing corporate IDs with different color dots on a rotating basis, so someone using an old or stolen ID can easily be recognized.”
Hash adds that companies should also make sure employees report any calls asking for information about tech systems to the security representative in the organization. “Every agency chief information officer who runs the IT department and is also in charge of making sure they have a well-supported, fully functioning security program in place,” says Hash. She adds that the NIST works with both the government and private sector, reaching out to small- and medium-size businesses at security forums and conferences. Companies can also check out private business support and best practices at NIST’s Computer Security Resource Center at http://csrc.nist.gov.
“A company can spend thousands of dollars on intrusion detection software, virus detection software, malicious intrusion detection, and firewalls — and someone can walk right in and say they’re from the local computer company and then trash your systems,” says Ryan. “Physical security is often the most overlooked aspect of security, and you’ve got to wrap your arms around it.”
- Andrew Ryan offers these tips for helping employees keep security in mind at all times:
- Put your security policy in the employee handbook, and make it one of the things you review with new employees.
- Place security alerts on your Intranet page where there is access to sensitive data, such as purchase orders, expense reports, and timesheets — all areas that only your employees should be privy to.
- Remind employees that no one should ever ask them for their password.
- Cracker: A cracker uses computer technology to break into other systems to steal or