Companies face a variety of challenges in today’s business environment and have to manage an assortment of risks. Some of those challenges include maintaining a competitive advantage, attracting and retaining top talent, and protecting the company’s assets. The third challenge, protecting the company’s assets, is becoming tougher as a result of today’s complex and ever-changing technology-driven environment.
One of the biggest threats that risk managers contend with is the continued development of social engineering tactics. Let’s face it; criminals want our confidential information and are willing to play on our desires, fears and emotions to obtain it. One of the most common social engineering schemes employed by hackers is the use of fictitious emails masking as legitimate business messages. These emails often appear friendly in nature, offering an attractive incentive. Others threaten an undesirable result that will impact our livelihood if we fail to respond to them. While email is probably the simplest tactic, there are more complex schemes as well.
The Risk Assurance and Advisory Services (RAAS) team of KraftCPAs is on the front lines of social engineering testing. This testing, which mimics tactics commonly used by real-world hackers, helps to assess the security awareness of an organization and its employees. Social engineering can also help measure adherence to the organization’s information security policies and best practices. The process can also identify areas where additional training is needed.
To assess our clients’ understanding and awareness of social engineering, we often use simple techniques and tactics. “While I don’t want to give away all of our testing tactics, I can say that we have often tricked our clients’ employees into giving us unsupervised access to their facilities where highly sensitive customer and company information is stored,” said Chris Zotti, senior associate with RAAS. “We have even been able to walk out of facilities with company equipment (with management’s knowledge of our testing, of course). Even more frightening, most of our tests require less than $30 and a few sheets of paper. Had we been actual bad guys, who were trying to steal information or equipment, the results could have been devastating.”
While the process of social engineering can elicit findings that are tough for an organization to swallow, the end product, clients find, is well worth it. Once clients realize that their company is vulnerable to these types of treats, training and prevention typically become a higher priority for management. Results show that standard information security practices are implemented and employee education is provided.
“Once the process of social engineering testing is complete, our clients are more than open to seeing the weaknesses in their systems so they can improve awareness and controls,” said Gina Pruitt, member-in-charge of RAAS with KraftCPAs. “There are so many risks involved with information technology, and many people are simply unaware of how easy it can be for a tech-savvy person with malicious intent to seriously harm an organization. Our social engineering processes bring to light those human threats and the potential damage that can result when employees are not adequately trained in how these threats impact information security.”
We also conduct internal and external penetration testing as part of our network security assessments. Here we try to gain unauthorized access to a computer system, either by exploiting system vulnerabilities or by convincing employees to give us access unintentionally. It’s harder to get through a firewall or intrusion detection system than it is to gain access through employees. People are definitely the weakest link in information security.