Social Engineering: an Overlooked Security Threat

This article is taken from Assent Tech Risk. See: http://www.assenttechrisk.co.uk/2013/09 … ty-threat/

A common attitude towards information security is that responsibility lies with the IT department.

While it is true that in many cases IT plays the biggest part in how data is stored and processed, a company’s wider operation should not be ignored.

Hacking is a threat usually associated with technical expertise, finding a gap in technical IT security systems and exploiting it to gain access to confidential information.

Often though, security can be by-passed using a far simpler approach. Social engineering is an equally significant threat that can be overlooked when planning information security, and it is perhaps the more likely to occur as it exploits human weakness.

What is Social Engineering?
Social engineering is the manipulation of people to disclose information or take action to assist in gaining access. The target is often unaware that they have given out any information of value.

Security Questions
Many organisation use security questions to verify customer identities but is it really so difficult to find out someone’s birthday, mother’s maiden name or first pet?

If someone appears interested, people will often discuss things in their personal life, in an attempt to great empathy and find common ground.

Social Media
The concept of privacy is also changing, with more information being shared on social networking sites. An the networks we build can reveal who our customers and colleagues are. Even a photograph can give away valuable information such as locations or vehicle registrations.

Conclusion.
So in conclusion, it’s important to take a holistic approach to information security, one that will include the human element.

Creating a culture of awareness for social engineering, and a strong social media policy will reduce the risk of data protection issues.

Can we help?
Our consultants can work with you to address key information security threats or create a complete management system to the requirements of ISO 27001.  Contact Us for more information.

entry130924-102313