Posted by: David Schneier
Audit, GLBA, information security, NCUA, phish, phishing, Regulatory Compliance, risk, risk assessment, Security, security testing, social engineering
Consider this post to be something of a (banking) community service announcement.
It’s February 2010, do you know when the last time was that your organization conducted a social engineering exercise?
I come across instances almost all of the time where financial institutions have obvious issues with regards to their staff and how they handle sensitive information. I almost always find non-public personal information (NPPI) left unsecured on desktops, in printer/fax queues and displayed on computer monitors. I can recall at least a half-dozen instances during the past year where I personally witnessed person-to-person exchanges where proper protocol was not followed in handling situations that are now supposed to be governed by the Red Flags rule.
It’s not hard to understand why these things happen; it involves human nature and that’s a wild card element that can’t be easily managed or controlled. People are busy, people are inherently trusting and in their haste to help a customer or get their work completed, they lower their guard. But it’s in those moments when good judgement is pushed to the side that an institution is most vulnerable.
A password is shared, a sensitive document is left exposed or a file loaded with account information is carted off on a USB storage device. Ultimately, how it happens is never really the big story though, at least not for those impacted by the breach. For the affected, it’s all about the damage, both potential and realized, that they’re confronted with. And of course it then also becomes about the tarnished reputation of the institution connected to the breach.
Do something about it.
Schedule a social engineering exercise; it’s easy, it’s affordable and it works. It tests the effectiveness of your security awareness program(s), illuminates what’s working and what’s broken, and allows you to adjust your training accordingly. And you can vary the angles taken from year to year. Start by seeing what happens when someone places calls to your staff trying to get them to share sensitive information. Follow that up by doing the same with emails. When you conduct your next internal vulnerability assessment, have the project include having the testing resources access secured facilities. You can also mix in dumpster diving (a favorite of mine), fax phishing and eavesdropping (don’t laugh, it’s a great way to skim NPPI and impossible to trace).
The results will prove to be revealing – both good and bad – and will serve as remarkably effective fodder for your next round of training. And the testing itself becomes an important tool because once people are aware that these tests are occurring, they begin to pay greater attention to their action. No one want to be tagged as being on the wrong side of the testing – trust me on this, I’ve seen this dynamic in play and it’s real.