Bug Watch: The threat of social engineering

Be under no misconception - people who really want access to your company's data can get it. Technology provides the determined hacker with the ability to access unauthorised information, but it is their cunning that often gets them the initial foot in the door.

Social engineering is the name given to the non-technical processes that hackers will use to obtain information, yet there is seemingly little awareness of the threat that this poses to businesses.

There are several misconceptions about how companies can best protect themselves against attacks, intrusion and data leaks. Firewalls, passwords and smartcards can all work to provide businesses with a secure infrastructure, but frequently the biggest threat is overlooked.

Without being aware, employees can pose one of the greatest threats to company security. Conversations in the pub after work, using a laptop on the train, holding the door open for someone instead of making them swipe an ID card - all of these things can potentially compromise the overall security of a business.

All it takes is for a hacker to overhear a conversation mentioning company names, departments or projects, and they can begin to build-up insider knowledge to use to their advantage. Once a certain amount of inside information is gained, something as harmless as a telephone call can be used as a tool to obtain further privileged information.

By implementing an IT usage policy document, businesses can highlight to employees what social engineering is. To relay this information in a legally binding document helps employees to become more vigilant, by virtue of the fact that they are aware of the implications of their actions.

Once a user policy is in place, businesses need to further encourage the vigilance and diligence of employees in security matters. Organisations need to create a culture that makes employees understand their integral role in the security equation.

The process of convincing users to be alert to the threat of social engineering is by no means a simple task. Many of the most effective ways of reducing the vulnerability actually go against human nature: why wouldn't you hold the door open for someone if they had their hands full? Education is key to the implementation of an effective security strategy.

One way in which businesses can lessen the threat of social engineering is to have their defences tested for weaknesses. For example, penetration tests can cover everything from network security right through to how willing people are to volunteer information that will help a perpetrator to gain secure information. The tests are bespoke and can be as comprehensive and detailed as necessary to determine the risk level at which a business stands. They provide businesses with a clear picture of their weaknesses and allow them be proactive in preventing security breaches.