IT Security Threats – “social engineering”


No IT security technology in the world will ever guard against good social engineering.  Social engineering is the email claiming to come from your support department, asking you to send in your password.  Or the email from somebody in Nigeria who wants to deposit millions of dollars in your bank account.  Or the phone call claiming to come from the appliance repair company asking for the entry key.

Wikipedia comes through again with a great definition:

Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information.[1] This is a type of confidence trick for the purpose of information gathering, fraud, or computer system access. It differs from traditional cons in that often the attack is often a mere step in a more complex fraud.

The best defense is education, backed up with practice and drills.  Consider engaging a third party to test employee responses, perhaps as part of a larger security audit project.