Enterprises must invest more heavily in staff training and social engineering tests to ensure corporate data cannot be compromised by outsiders who trick their way into the company, according to experts at this year’s ISSE event in Warsaw.
Sharon Conheady, a consultant in social engineering for consultancy Ernst & Young, explained that the scale of the problem is often underestimated by firms, because many are unaware it is even going on.
She revealed criminals are using tools such as Google and company web sites to research and gather information about a particular firm, before conning their way into the building with the aim of stealing sensitive data.
“The key to preventing [attacks] is education and awareness,” Conheady argued. “It’s a good thing to employ someone to test your physical and security controls and see how aware staff are about them.”
Other speakers at the event advised firms how best to go about educating their staff. Gigi Tagliapietra of Italian computer security association CLUSIT, argued that managers need to personalise their message and build a relationship of trust with their users, so individuals understand the consequences of their actions.
“It’s all about continuity, simplicity and taking one subject at a time,” he said. “People will do things if you show them why they should – corporate security depends on the individual because information is their future.”
Tagliapietra added that local government should be charged with the IT security education of its citizens, because the safety of their information should be at the heart of its democratic mandate.
Dirk De Maeyer, a security officer at KPMG in Belgium, argued that in order to communicate security awareness campaigns more effectively, firms should tailor their messages to specific user groups.
“You have to recognise the target audience – so for managers you should be talking about the impact on budgets and the reputation of the company,” he explained.
But such campaigns can be complex and time consuming, according to Arno Fiedler of Nimbus Network. “You need to keep it simple – it’s not easy and you need a lot of knowledge and budget to attempt it,” he added.
Firms must be alert to social engineering tricks
By Phil Muncaster on Sep 28, 2007 6:58AM