An organizations information security program should include a section surrounding social engineering. Organizations must educate employees about social engineering and teach them how to identify and avoid social engineering exploits. Polices in regard to social engineering must be put in place for all employees to follow and security measure to better avoid social engineering exploits must also be setup.
In order to avoid social engineering exploits, an organization must educate their employees properly on the matter. Employees must realize what information they are allowed access to and what information is to be kept private. They must understand that under no circumstance should any information deemed private be shared. Employees should be taught ways to determine if a social engendering is taking place and how to avoid it. Employees must learn how exploits work in order to learn how to avoid them.
An organization must set policies and security measures to prevent social engineering exploits. Policies should include such things as to when company equipment is allowed to be used, proper password techniques, and how to deal with exploits after they happen. Organizations should establish security measures such as password length requirements and expiration, activity monitoring software, and proper equipment and document disposal processes.
One social engineering technique is requesting information electronically. For example, a fake message requesting information, such as a username and password, is sent to an employee via email. That message may look legitimist, as if sent from the IT department, and can easily fool employees. However, employees must learn that no one from within the organization will ever request such sensitive information and any such exploit should be reported.
Another social engineering technique is requesting information via a phone call. The same method behind the fake form is used where an individual posing as someone else,...