Social engineering is now recognized as one of the top threats to enterprise security. I think we all have had side conversations with security leaders inside companies validating this concept for years, but not until recently have we seen it pass other threats in such a public forum. Those same security leaders have struggled with mitigating the threat because they instinctively jump to a Draconian view of information security policy enforcement as the only solution. It certainly would be effective in some ways, but morale would plummet and the creative technophiles would find ways to free themselves from such Athenian legislation.

People, clouds and triumph, by cueller

The irony is that many of these controls are not only designed to protect our information assets, but also designed to protect our own employees from themselves. The amount of collateral damage that can be caused by clicking on a link or opening an attachment is quite staggering. If you use social media, you’ve seen your friends and other people you follow fall victim to an attack. Whether it was clicking on a free iPad link or some apparently scandalous news story about a celebrity, we’ve seen strange things pop up in tweet streams and Facebook walls. Granted, most of those are pretty minor but a massive nuisance at the same time if others spread the worm.

The solutions to this problem vary, but each have benefits and can be effective in their own ways. For example, if every corporate user started tracking public internet usage by forcing users to enter in their domain username and password for every site they visit every day, not only would bandwidth usage go down but you would also see a dramatic decrease in risk because those time-wasting sites that tend to be loaded with malware simply won’t be visited as frequently.

Now I don’t think every user can detect every kind of malware, so it’s probably important to block sites you deem to be irrelevant or just too risky to allow into your corporate infrastructure. Some basic risk-based decisions on content can go a long way to keeping your infection rate down.

“But Branden,” I hear you ask, “what about those laptops that go home and aren’t always connected to my network?” Those are certainly at risk for infection if the only controls you have disappear once the machine leaves the premise, especially if you allow your users to have local administrator access. Don’t forget, in most cases the laptop is a corporate asset. Functionality away from the corporate network for work related activities is secondary. If you have a rather rebellious user base, maybe it is time to invest in Virtual Desktop Infrastructure (VDI) and allocate funds for them to purchase and bring their own device to work.

If you can take anything from this post, I hope you understand that your trust value is on the line. The bad guys want to use the intangible value of your trust to infect as many people with as little effort as possible. You must protect your trust and those of your employees as well while enabling them to do business in a digital world.

It’s not easy, but that’s the fun part, right?

This post originally appeared on