The contestants collectively made 140 phone calls to real employees at real companies. Only five of the employees called refused to give contestants the information they were seeking. And in each case, the contestants who reached those employees were able to hang up and call another employee at the same company who did volunteer the information.
Social engineers don't just prey upon people via the phone. Phishing attacks using emails from seemingly legitimate businesses are a prime example of social engineering.
Weak Passwords Are the Norm
When it comes to passwords, the picture is also bleak. In June, Joseph Bonneau at the University of Cambridge released the results of a study analyzing 70 million passwords of Yahoo users in an effort to estimate the difficulty of guessing passwords. Bonneau concluded that humans tend to pick weak passwords.
"We find surprisingly little variation in guessing diffculty; every identifiable group of users generated a comparably weak password distribution," Bonneau writes. "Security motivations such as the registration of a payment card have no greater impact than demographic factors such as age and nationality. Even proactive efforts to nudge users towards better password choices with graphical feedback make little difference. More surprisingly, even seemingly distant language communities choose the same weak passwords and an attacker never gains more than a factor of 2 efficiency gain by switching from the globally optimal dictionary to a population-specific lists."
Creating a Security Awareness and Training Program
"The solution is training and education, and it does work," Spitzner says. He points to one organization that worked with SANS Institute. It managed to decrease its number of infected computers so dramatically that it was able to shift one employee from handling infected machines to working on something else.
But it's not as simple as deciding to do it, he notes. Most security awareness programs inside organizations accomplish little, he says. But the reason is that they weren't actually designed to be effective.
Start with a Security Awareness Steering Committee
To begin, he says, you should first establish a security training steering committee. The steering committee should be composed of five to 10 volunteers from a mix of departments and roles that can help to plan, execute and maintain the program. Spitzner recommends including people from audit and legal in the steering committee. He notes that the members of the committee should not only be guides, but ambassadors for the program that help get the members of their organizations on board.
Answer the 'Who,' 'What' and 'How'
Once established, the steering committee needs to create a plan that answers three questions: who, what and how. 'Who' is first. Spitzner says one of the most common mistakes he sees is companies that attempt to create a monolithic security awareness and training program.
Sign up for CIO Asia eNewsletters.