Many IT security researchers are convinced: humans are the greatest security gap in organizations due to the danger posed by social engineering and social manipulation. Even the best security patch is of no use. In addition to disaster recovery concepts and the expansion of the technical security architecture, IT decision-makers and data protection officers should also take care of eliminating human weaknesses. All employees of a company should be made aware of the dangers of social engineering.
One thing is clear: there is no standard strategy, a kind of "anti-social engineering blueprint". It is crucial to understand the psychological methods of the attackers and to educate the employees. That's half the battle. Ultimately, the entire corporate universe requires an integrated IT security concept that is constantly updated about the current risks and methods. The security concept and the underlying security philosophy should be declined right down to the last employee so that security thinking is deeply anchored in the company. The three key questions that companies have to ask themselves are:
· How do external service providers, IT and non-IT, have to legitimize themselves when making contact?
· In what way is sensitive data and information even allowed to leave your company?
· Who has what rights to access the company infrastructure?
The Five Most Important In-House Measures Against Social Engineering
· Inspire management for IT security and strategies against social engineering. This is of course the task of IT management and, if necessary, of the data protection officer. The arguments for the company management are obvious: Social manipulation should be one of the building blocks of risk management - risk prevention supports the organization, lowers the risks, protects against industrial espionage, and helps to save unnecessary costs through exogenous shocks.
· Train employees initially and continuously. Prevention training in the area of social engineering and social manipulation should serve as a standard for the welcome package and the introductory days, especially for new employees. Every employee should be included in a mandatory IT security concept. Workshops on the risks of social engineering and dangers in social media not only improve IT security in companies but also in the private sector. The personal benefit should also be emphasized so that the interest also increases to act cautiously.
· Develop guidelines put them in writing, and distribute them. In parallel to the regular training, guidelines should be drawn up and made available to every employee in writing - whether in print or digitally. The correct behavior should be worked out clearly and precisely. The receipt of the guideline should be counter-confirmed in a binding manner.
· Security architecture. A well-thought-out employee concept is completed by an introduction to the IT security architecture used and as modern as possible as well as hardware and software.
· Regular check-ups and penetration tests. The IT managers should check in regular, random, and unannounced tests whether the "humane firewall" works against social engineering. It should be noted that the works council should be involved here if necessary.
Installing an antivirus can make your regular check-up process easy and hassle-free.
Comments
Post a Comment