Striking a Balance between Customer Service and Data Protection Through Social Engineering

Document Sample
Striking a Balance between Customer Service and Data Protection Through Social Engineering Powered By Docstoc
					?Many organizations are resorting to old fashion customer service to attract and retain
their market share. In today's sensitive economy, a lack of customer service can make
or break a company seeking to gain new customers and retain their valued customers.
In fact, tradition has given way to innovation -- customer service still matters. In order
to meet the challenges ahead, organizations may struggle with striking a balance
between customer care and security. So, how do you balance good customer service
while protecting the assets of the organization?
The goal to provide quality Customer Service is a prominent part of today's business
foundation. Many organizations struggle with how to strike a balance between service
and data protection. Questions arise such as, how do I say no to a customer? Or when
is it appropriate to go the extra mile for a customer? Social Engineering is a unique
way to test both the strength and the effectiveness of existing training while
positioning your employees to protect critical data. Simply said, Social Engineering is
a solid training plan to teach employees to not give away the keys to the kingdom
while servicing client relationships.
Are we smiling in our attacker's faces?
Hackers play into empathy with confidence, perceived expertise, and persuasiveness,
or the act of commonly pulling on the heart strings of our need to provide quality
service and, our natural tendency to assist and help others. This natural inclination
may cause employees to go along with an attacker's suggestions in order to be helpful
versus questioning or resisting the suggestions. The bad guys understand the day to
day of IT, for example the frustrations of computers running slowly, programs not
working properly, etc. They use these daily frustrations as means to gain access to
your data by playing on your desire to provide diligent customer service.
Knowing just how powerful social engineering is when applied to criminal behavior
may serve as catalyst for training and insight on how your organization's employees
react or do not react in response to email spoofing, a phone call from someone trying
to encourage an employee to change a password; etc. all under the guise of being a
needy customer. Employees should know extra mile service doesn't mean an all
access pass to your networks.
So how can I balance service and controls?
Social Engineering training is a concrete means to address the nuances of balancing
customer service and security. Social Engineering is an act of influencing behavior
with the goal of gathering information (social security numbers, passwords…) from
people (your employees). This is typically done through various tactics and often
times through non-technical means. If successful, this information is then used to gain
access to your data. Social Engineering Assessments will provide a true test of an
organization's resilience to attacks against the human component of security controls
while providing details necessary to improve future trainings.
The outcome of the Social Engineering exercises will result in insights on your
organization's security posture. Such tests provide your organization with not only a
roadmap of your key findings but also increase the awareness that predators are out
there disguised as friendly vendors and customers. End result, a clear picture of where
training has previously failed, or where your current needs are, as well as a tactical
plan with specific areas to address.
Training 101: The importance of War Stories
It's advantageous to share Industry war stories. This is the single best way to ensure
your employees are aware. Raised awareness amongst all employees to be ever
vigilant about with whom they share information is a solid way to balance service and
The greatest benefits of Social Engineering testing are in the informational details and
what employees and management learn from the process. A presentation and an open
discussion with those targeted in such an attack can be a very valuable learning
experience; the best way to thwart such an attack is proper education.
Gain the extra benefits- Social Engineering a solid part of your Penetration Testing
If you conduct a Penetration Test regularly, then get the most out of your test by
coupling it with Social Engineering. This combination is key. The Penetration testing
provides an identification of vulnerabilities on your Internet facing systems (corporate
firewalls, email, web servers, VPN access, etc.) by attempting to break into the
network. Penetration testing coupled with Social Engineering will provide a complete
picture of your organization's security posture and ultimately minimize your overall

Shared By: