Do we focus too much on security and not enough on people? Social engineering is an age-old problem, but it’s not going away. And while many threats that exploit social engineering can be as crude as a badly spelled phishing email, there is a trend toward more targeted campaigns that are harbingers of something more serious.
David Emm, senior security researcher at Kaspersky Lab, explains to Tracey Caldwell that many of today’s sophisticated attacks on organisations start with ‘hacking the human’ — often someone who has a public profile linked to the organisation. By tricking staff into compromising corporate security, attackers get a foothold in the organisation.
The answer is to take people’s behaviour, but this is difficult and it’s not going to happen overnight. Changes need to be made at all levels of the organisation. And it needs to be a continuous process, maintaining awareness through constant reminders, both formal and informal.
It’s not really about ‘training’, but a more general understanding and awareness that stays relevant as the threats evolve. With the right level of comprehension, people can spot new threats.