Joseph Kirkpatrick
President
RavenEye Inc.
Tampa, Fla.
If you think your computer network is well protected against attack, you might be right. But your company may still be highly vulnerable. The reason: Many of us have not paid nearly enough attention to the biggest weakness of all — our employees.
Most employees are hardworking and loyal, and would never intentionally do anything to harm their employer. Even so, employees are often the weakest link when it comes to business security and to attacks from information thieves, experts typically referred to as "social engineers."
When we think of attacks on computer networks, we usually conjure up images of geeky whiz kids who know how to hack their way past sophisticated computer security systems. Hackers are certainly a big security problem, but a more likely attack may come from someone who uses simple but effective socialengineering techniques.
The SANS Institute, which specializes in information security training and certification, defines social engineering as a hacker's use of psychological techniques to get information from unsuspecting people needed to gain access to computer systems.
According to IDC, a global provider of market intelligence, advisory services and events for the information technology and telecommunications industries, businesses around the world will spend $45 billion in the coming year on information-technology security to help thwart hackers. But most of those same businesses will ignore the security dangers aimed at their employees, and a significant number of them will pay a heavy price for that inattention.
Without meaning to (or even really knowing what happened), employees can and do expose critical information to social engineers clever enough to ask for it in just the right way. And all of the expensive technology in the world can't address lapses in judgment or procedures.
Fortunately, companies can take steps to effectively prepare employees for social-engineering attacks. But it takes awareness, education, and training. Staffers can be trained to know what information is considered internal and confidential, and they can learn about such things as the proper disposal of documents and the careful utilization of remote-system access.
Employees who know what to look for can help minimize the risks posed by hackers and thieves who know all the tricks for stealing intellectual property and customer information.
RavenEye (www.RavenEye.com) conducts real-world attacks on a company's sensitive information through electronic and socialengineering methods and recommends security fixes.