Social engineering is an attack to the information system by obtaining access in a manipulation manner where the attacker uses tricks to get authorization details. There are several methods of social engineering such as website spoofing and phishing. Many organizations have realized the importance of information security. They have associated information security to business profits in an organization. Different measures such as testing for attacks from the hackers. Companies have failed to realize that disregard of security policy by employees can cost the company. Other employees just disregard the security policies to offend or ‘punish’ the employer. Other employees in the company do not see the need of securing the system.
Breach of information normally takes place in organizations. They are procedures and guidelines of recovering from such situations. The question is what an organization will do if the source of information breach was through social engineering. This means that the attacker manipulated an employee in the organization to get credential to the sophisticated information. Such problems can be fixed by having a comprehensive planning and implementation of information security policies.
There are different ways of ensuring that social engineering is minimized. Employee awareness and sensitization is the most acceptable method. Employees should be informed on the importance of securing information and how security threat can be compromised by sharing information. Hackers get access information through e-mail and fax communication. In such cases they know they will be far in the event that they are discovered. They also offer to help employees in the organization which make them obligated to giving important information. Sensitizing employees about such methods ensure that security breach is minimized. It is also important to have frequent education sessions about security. The company can initiate a program to teach employees how they can secure their own password such as wireless password. This culture can be reflected at place of work. Employees can also be informed about security systems by having posters in relaxing rooms such as company café. The posters should be frequently changed and have simple but informative information about system security. The use of graphics and charts are better methods of communication since they are memorable compared to plain text.
Apart from educating staff on social engineering and security policies of the company it is important to secure information facilities. There are two types of information system security, the access to information system and the access to information systems. The company should change or enforce door security where employees must have authorization to access information systems. Since the hacker has had access to the system, the company should change all the current passwords and issue new passwords to the employees. Modification and backup of the current file system is also necessary since the company does not know the damage the hacker has caused to the company.
Employee education alone is not enough to secure systems against system security. Classification of documents in a company is very import. This ensures that security system administrator can assign employees to files that they require. This will also minimize the search or identification of the person who gave out credentials to access given files.
References
Schneier, B. (2008) How the Human Brain Buys Security“, IEEE Security & Privacy, July/August 2008.
Papadaki, M., Furnell, S, Dodge JR, R.C. (2008). Social Engineering: Exploiting the Weakest Links“, ENISA October 2008.
Mitnick, K.D.. Simon, W.L (2002).The Art of Deception, Wiley Publishing.
