Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The human OS: Overdue for a social engineering patch

Taylor Armerding | Oct. 14, 2014
There is no way to plant a chip in employees that will make them invulnerable to social engineering attacks. But experts say training – done well and frequently – can make them much more difficult to ‘hack’.

Of course, just as is the case with technology, nothing will make an organization bulletproof. But Hadnagy said good training can dramatically lower the risk. He spoke of one company that hired his team two years ago to test their awareness, and 80% of employees clicked on phishing emails, 90% fell victim to vishing and 90% were duped by one of his team members impersonating a person at the help desk.

"We went to town educating them, and then in a later test, which we made more difficult, they shut us down," he said. "We got nowhere."

That, he said, shows how effective good training can be. "Statements like, 'There is no patch for human stupidity' are damaging to the belief we can fix this," he said. "It's not about humans being stupid, but about humans being unaware and uneducated, and having no direction on what to do when attacks occur."

5 tips to ward off social engineering

To overcome "clueless worker" syndrome, experts offer the following tips for effective training:

  1. Security awareness should be a continuous state of mind. Effective training can't be a once-a-year event.
  2. A check-the-box presentation will be quickly forgotten. Remember, compliance is not security.
  3. Make it relevant - workers tend to remember something they believe will protect them, at work and at home.
  4. Make it specific - executives are likely to confront different threats than plant workers.
  5. Make it real-world. Turn the failure to spot a phishing email or an impersonation into a teachable moment.



Previous Page  1  2  3 

Sign up for CIO Asia eNewsletters.