Employees Need to Know They Will Be Tested on Social Engineering Responses

By Lora Bentley
IT Business Edge, September 3rd, 2009

Excerpt from article:

Evolve IP's Carl Herberger says companies should tip their employees off that they will be testing their response to different social engineering schemes. It's just like when department stores are routinely checked by corporate quality assurance personnel, he says. Employees should know that they will be tested and that they won't know exactly when the tests will come.

Because social engineering often occurs in the gray areas between information security and physical security, testing takes two forms: physical and logical. Physical tests are as easy as observing behavior. Does the receptionist check in visitors appropriately? Do employees allow others to piggy-back on their ID card when entering the building? What about passwords? Are they left on desks in plain view? Will employees pick up a randomly dropped USB device and use it?

Logical testing, using phishing and pharming techniques, takes many forms. It can come in an e-mail, via a Web site, in an instant message, or even in a phone call or a piece of snail mail. Surprisingly, Herberger says there is usually a 25 percent to 30 percent take rate on phishing schemes even in organizations where employees have been trained on what to avoid.

Article continues at ChannelWeb...

Read the full blog online here at ChannelWeb: Employees Need to Know They Will Be Tested on Social Engineering Responses