In this age of electronic data, you can't blame organizations for wanting their employees to be more security-savvy. You also can't blame managers for instinctively turning to an old, reliable reinforcement technique:
threats training.
Trouble is, it's extremely difficul to train employees against any number of security threats, including one that HP recently made famous. That's according to Richard Stiennon, CIO Update contributor and founder of IT security research firm IT Harvest. In his latest column, Stiennon says:
Take the concept of pretexting. This has gotten a lot of press recently because top executives of HP hired private investigators to obtain phone records of board members and journalists in an overzealous attempt to determine who was leaking information about board discussions.
The PI�s would masquerade as these individuals and call the telephone companies requesting their phone records. I am at a loss for how you could train a CSR to recognize a pretexting attack.
Stiennon makes a good point, and he offers a tandem solution:
[T]he phone companies should take two steps. One is policy: No customer information given out over the phone, phone records only mailed to the address of record, etc. Second, technology can be deployed to identify and alert when these types of attacks are underway.
It's not just pretexting, though. Using training to enforce sensible policies regarding passwords and screensavers usually meets with equally disappointing results, Stiennon says. But then, you already know that.
Formidable as the task is, our CIO Update columnist does offer some sound advice on instilling in your employees a greater appreciation for security. It's worth a look.
Comment and Contribute
