I recently had the honor and pleasure of sitting on an panel besides some amazing expert talent in the industry to discuss another polarizing topic: Social Engineering.
Social Engineering, in the context of information security, refers to:
…psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme.
The term “social engineering” as an act of psychological manipulation of a human, is also associated with the social sciences, but its usage has caught on among computer and information security professionals.
How we behave at our places of work, the kinds of decisions we make day-to-day, make a big impact on information security inside those organizations, positively and negatively. This is because, as employees, we often don’t see ourselves as part of an organization’s defenses against would-be criminals. So, it’s easy for us to take actions that ignore organizational information security best interests.
This is why research shows every business, regardless of size or complexity, needs to be committed to improving its culture’s awareness on a continuous basis, even if by only providing awareness training a couple times a year to keep these concepts top-of-mind for everyone.
This was a worthwhile discussion about some of the methods, tools, tactics, and strategies we use to help harden the human side of information security against those who would exploit our good-natured tendencies for malicious purposes.
Not an easy or always pleasant thing to have to do but an important one for building awareness training activities that elevate business cultures (and our culture at large) to be more resilient against these kinds of vulnerabilities.