Social engineering audits on the rise: What this means for CIOs and CSOs

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.techrepublic.com/article/social-engineering-audits-on-the-rise-what-this-means-for-cios-and-csos/

The recent Target data breach and a new data breach at Home Depot are
reminders to CIOs and CSOs about the dangers of security problems on a
massive scale, though the smart executives are giving equal time to the
potential of internal data breaches. These are inadvertent and sometimes
deliberate security breaches that happen when an employee shares a password
or loses a mobile device. In other cases, an employee might access a
website at work that loads malware onto his PC, which then spreads
throughout the corporate network. In other cases, security breaches occur
when a disgruntled employee leaves the company and takes with him valuable
intellectual property that belongs to the company.

During a recent visit with the CEO of a security IT audit firm in the
banking and financial services industry, I asked which hot audit services
that banks were requesting. He answered that banks wanted full-scale IT
audits and internal/external penetration testing of their networks, and
that he was receiving high numbers of requests for social engineering
audits.

What is a social engineering audit?

"It's an examination of your internal controls over information, such as
the strength of your security policies and procedures and whether your
employees are abiding by them," he said. "We visit with different business
units within a company to see how these policies are being carried out, but
we also perform a series of automated tests to see if there have been any
internal data or security breaches that are the result of employee
activity."

It's not a pleasant situation if something turns up, because the discovery
of an internal security breach usually leads to the interrogation of an
employee, and in the worst cases, employee dismissal. Nevertheless, social
engineering is at the top of the security to-do list for many CIOs and CSOs
because internal security breaches occur with more regularity than they
would like to admit.

In financial firms, the uptick in social engineering audit activity is
attributed to several factors:

- More regulators are proactively asking banks what policies and practices
they have in place to control potentially compromising security breaches by
employees;
- There has been a general rise in employee security breaches, information
thefts, and system sabotage since jobs were lost in the 2007-2008 economic
recession; and
- More mobile devices are being used -- and also being lost or misplaced in
the field.

The mobile device threat is also felt in the "back office," where banking
mobile device policy often crashes head-on with employee personal mobile
usage habits. Here's how it happens.

Nearly everyone carries a personal cell or smartphone on his person with a
built-in camera. It's great for taking photos and sending them to friends,
and it's not a likely issue if you work in a floral shop or a sports arena.
However, if your job is in a credit and debit card "back office" processing
operation where you see dozens of account numbers and social security
numbers each day, and can easily photograph and sell them, your bank
employer is likely to have a policy against having mobile phones with
cameras in the work area.

The bottom line

Security is an inside as well as an outside responsibility. Accordingly,
CIOs and CSOs are:

- collaborating with HR to facilitate employee training (and re-training)
in corporate technology usage policies and practices;
- staying on top of new industry security and privacy regulations for
internal security; and
- ensuring that technology is in place to locate and shut down mobile
devices in the field that are lost or misplaced.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!