Employees Need to Know They Will Be Tested on Social Engineering Responses

Lora Bentley

Evolve IP's Carl Herberger says companies should tip their employees off that they will be testing their response to different social engineering schemes. It's just like when department stores are routinely checked by corporate quality assurance personnel, he says. Employees should know that they will be tested and that they won't know exactly when the tests will come.


Because social engineering often occurs in the gray areas between information security and physical security, testing takes two forms: physical and logical. Physical tests are as easy as observing behavior. Does the receptionist check in visitors appropriately? Do employees allow others to piggy-back on their ID card when entering the building? What about passwords? Are they left on desks in plain view? Will employees pick up a randomly dropped USB device and use it?


Logical testing, using phishing and pharming techniques, takes many forms. It can come in an e-mail, via a Web site, in an instant message, or even in a phone call or a piece of snail mail. Surprisingly, Herberger says there is usually a 25 percent to 30 percent take rate on phishing schemes even in organizations where employees have been trained on what to avoid.


In a phone conversation Tuesday, Herberger told me the nice thing about the tests is they can be documented on video or audio. "It's one thing to instruct your employees on good behavior. It's another thing for them to know that, in this facility, this is what was achievable in a very short period of time," he said. He also noted that over time you may find certain employees just exhibit more risky behavior than others. "Sometimes, we find that the same person who clicked on the e-mail was the same person who picked up the infected USB drive outside of the area and used it."


Testing employee response to social engineering schemes is obviously important "to validate that the bad behavior is there and collect evidence that your controls are something you're serious about," Herberger says. However, it's also important to reward employees who respond correctly to the tests.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Sep 3, 2009 10:51 AM M Ellard M Ellard  says:

Good point! And gets at something that's been in the blogosphere in a number of forms recently. It all boils down to a sense of ownership and responsibility - all employees need to understand the importance of what they are doing for the greater good and take part in making sure that things are done right.

I go back often to a post by Navin Sharma of Pitney Bowes http://ebs.pbbiblogs.com/2009/08/03/data-governance-its-everbodys-business/

It really gets at this need for all to be aware of and dedicated to doing the right thing for one's company - and I think applies just as accurately to your comments on social engineering too. Might want to check it out...


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.