Evolve IP's Carl Herberger says companies should tip their employees off that they will be testing their response to different social engineering schemes. It's just like when department stores are routinely checked by corporate quality assurance personnel, he says. Employees should know that they will be tested and that they won't know exactly when the tests will come.
Because social engineering often occurs in the gray areas between information security and physical security, testing takes two forms: physical and logical. Physical tests are as easy as observing behavior. Does the receptionist check in visitors appropriately? Do employees allow others to piggy-back on their ID card when entering the building? What about passwords? Are they left on desks in plain view? Will employees pick up a randomly dropped USB device and use it?
Logical testing, using phishing and pharming techniques, takes many forms. It can come in an e-mail, via a Web site, in an instant message, or even in a phone call or a piece of snail mail. Surprisingly, Herberger says there is usually a 25 percent to 30 percent take rate on phishing schemes even in organizations where employees have been trained on what to avoid.
In a phone conversation Tuesday, Herberger told me the nice thing about the tests is they can be documented on video or audio. "It's one thing to instruct your employees on good behavior. It's another thing for them to know that, in this facility, this is what was achievable in a very short period of time," he said. He also noted that over time you may find certain employees just exhibit more risky behavior than others. "Sometimes, we find that the same person who clicked on the e-mail was the same person who picked up the infected USB drive outside of the area and used it."
Testing employee response to social engineering schemes is obviously important "to validate that the bad behavior is there and collect evidence that your controls are something you're serious about," Herberger says. However, it's also important to reward employees who respond correctly to the tests.