Evolve IP's Carl Herberger has been guest blogging at IT Business Edge recently. Early this month, he noted that social engineering is on the increase and one of the top 10 things companies should be guarding against in the coming year. He says:
Today, attackers are using current events such as the mortgage crisis, stimulus spending packages, and various "bailout" schemes to make their "bait" more convincing, and are employing more efficient attacking techniques and automations. Moreover, social engineering fraud techniques, such as phishing and pharming, are expanding...
It makes sense, and of course, the minute companies beef up their security to combat a particular threat, hackers come up with something new. But has your company ever "tested" employees to see for which social engineering schemes, if any, they will fall? That's what Herberger suggests in a post from last week:
The first step is to test the riskiness of employee behavior through routine social engineering engagements. Make this a routine activity that is integrated into the culture of the organization.
But how can that be done, exactly? At some point, don't you have to tell them that management is engineering these phishing or pharming schemes? At that point, don't they cease to become effective? Once you do tell them, what if they mistake an actual attack for a management "test"? And what if the routine testing fosters apathy toward the real thing? After all, one can only cry, "Wolf!" a few times before losing credibility.
I can't wait to pick Herberger's brain about these issues. If all goes well, I'll get that chance early next week. Stay tuned.