TrainingZone interviews: Your Impact's Sue Gilkesby
We chat to Sue Gilkes to find out exactly what 'social engineering' means and how businesses can ensure their data is kept secure.
You’re spending a lot of time on ‘social engineering’ at Your Impact at the moment. Give us a brief explanation of what it is.
It would be easier to understand if it was called human hacking; social engineering is how humans are manipulated, tricked to attain, data, money, or information; it’s much easier to gain access via a human, then write complex code or hack a complex system.
It is one of the fastest growing threats for 2014, according to a recent threat report by Sophos - 75% of social engineering attacks are successful – that’s a big statistic!
Another example of social engineering; a well-known bank, at a branch in London, was duped by a man posing as an IT consultant and 1.3 million was stolen.
I'm not going to name the bank, but can you imagine the damage to its reputation?
There are many, many methods used by a social engineer, and it's being made aware of these tactics, which is so important. You would be shocked and amazed at the stories, and the very imaginative ways they employ to access information, face-to-face, and via the internet.
The fact is, we, the end user, are the biggest threat to our personal security online and in the workplace.
This could see companies develop a lack of trust in their workforce. Surely this is against the grain of modern business success?
I can understand that, in first thoughts, by being more security conscious could mean not being so helpful to one another.
I have walked around many businesses with a smile, arms full, to get someone to hold a door open because I didn’t have authorised access. Only once in 10 years have I been returned to reception!
However the world has changed; we do live in a digital world as well as the physical world, and just as you probably wouldn't let a stranger in your home, or leave your front door unlocked, it should be the same in the digital world and office. We have to be aware of tactics that are used and have the skills to protect ourselves and our colleagues as much as possible.
Therefore, the reverse is true; people want to work with people who they can trust with their work and personal data and personal safety.
Another misconception, is that only big companies are targeted; with 99.9% of business in the UK being SMEs, every single company is a potential victim, and smaller companies are often targeted as they are assumed to have less money to spend on security and expert advice. Even the government is helping with this via grants for SMEs to improve security, called Growth Vouchers. We are an approved growth advisor on security, which means we can advise on security issues, and using Your Impact entitles you to match funding up to £2,000.
It's more about changing behaviour through awareness; security through education.
It's simply a change in how we act by being aware of what could happen; in essence, an insurance policy, but we all know when the insurance is not in place, it's Sod's law you wished you had had it!
How can you keep your data safe from these techniques?
There are so many ways that data can be stolen, so equally there are a number of things that can be done to keep data safe. Ideally they should be done in the following order, however education is the number one priority if you want a quick impact.
The first thing is to know where you are now – how secure are you? You can use the services of a professional social engineer, often called a penetration tester, who literally tests your company to see how they can penetrate your networks, building etc.
We can run tests such as how many spam emails are being opened, rogue pdfs etc. By creating fake spam, they are then immediately greeted with an alert to notify them of the danger of their action, and what they should have done. They are then asked to complete a 10 minute elearning package, which has significant results.
Secondly, communicate with your whole company. A link to a security policy sent around by email does not cut the mustard! Even if digital signatures are asked for, there is no guarantee it was read, or understood, or agreed with, let alone adhered to.
Thirdly, education through awareness seminars; I am constantly surprised at how ill-informed we are as a nation. These short seminars share all the techniques used and we can also incorporate the company’s policies and procedures. All this is useful information for our personal lives too.
And lastly, create and maintain standards. It needs to start at the reception desk, be part of the company induction and all the way up to the leaders, walking the talk.
We need to be constantly vigilant, constantly updated.
Another focus of yours is troubleshooting and problem solving. How do you train your brain to troubleshoot properly?
That’s a good question, because it is our brain, albeit subconsciously, that can really cause havoc with our troubleshooting. Our brains are trained by its life so far, and its natural functions, some which are designed to protect us; which means we do make assumptions, we do skip steps for speed and we literally struggle when we have to really work our brain.
Through a very action-packed agenda, individuals understand how their brain and behaviours can cause its own issues and most importantly we teach several troubleshooting techniques, provide tools and a proven process – all of which are practised on the workshop.
We created and wrote the world’s largest software company’s troubleshooting classroom and virtual workshops, so we know the activities we use work, and its good fun too.
Sue Gilkes is founder and managing director of Your Impact, a business performance consultancy that helps IT organisations achieve return on investment.