Information security professionals live in exciting times. It’s a constant battle of escalations between the new ways technology can be used to conduct business, and the new ways the bad guys can incorporate technology in their overall strategy to steal information. But an interesting trend emerged this year that has always been around, but now is used in a much larger sense when going after data:

Human hacking.

The nice way to say it is “social engineering.” How do I convince Sally in Accounting to give me information that i can then use for my own personal financial gain? It’s not a new concept, and frankly tamer versions are used daily by politicians, sales professionals, and children.

Cracking, by David Goehring

The challenge for security professionals today is to realize that the walls they put up are not the only thing needed to defend their assets. Technology is fancy, but where high-tech hacking fails, low-tech can absolutely succeed and be much more devastating. We all talk about how the perimeter of our networks is changing, and what we once considered trusted ((Foolishly in many cases.)) is now at the trust level of your local coffee shop’s open Wi-Fi. To make matters worse, some of the more damaging breaches are aided by a simple conversation with a front line employee who just wants to help.

Make no mistake, people are the new perimeter.

It’s time to get serious about user education around information security. Just like we have to take a test to earn our driver’s license, we should have to become invested in the technology we rely on to do those things that we do. Not necessarily experts in the 1s and 0s, but armed with enough information that can actually be recalled to prevent social engineering from being as successful. Here are some opportunities you can use to take on user training:

  • Smile because you want to, by Rory MacLeod

    Do you simply ask for signatures on your company’s Acceptable Use Policy (or any number of related paper documents that we typically have to sign annually) or do you train your employees, test their knowledge, and only allow them to continue when they hit a certain retention level? Do you test retention levels over time?

  • Do you launch attacks against your own employees to understand where you need to improve your training? Do you plot the results and track over time?
  • Do you reward employees for finding security issues? Like financially reward with vacation days, cash bonuses, gift cards (that are VALUED), etc.?

Why should your security department be limited to the few full-timers that fall into that particular cost center?

Hint: It shouldn’t.

This post originally appeared on

Possibly Related Posts: