By Phil Muncaster in Warsaw
26 Sep 2007
Enterprises must invest more heavily in staff training and social
engineering tests to ensure corporate data cannot be compromised by
outsiders who trick their way into the company, according to experts at
this years ISSE event in Warsaw.
Sharon Conheady, a consultant in social engineering for consultancy
Ernst & Young, explained that the scale of the problem is often
underestimated by firms, because many are unaware it is even going on.
She revealed criminals are using tools such as Google and company web
sites to research and gather information about a particular firm, before
conning their way into the building with the aim of stealing sensitive
The key to preventing [attacks] is education and awareness, Conheady
argued. Its a good thing to employ someone to test your physical and
security controls and see how aware staff are about them.
Other speakers at the event advised firms how best to go about educating
their staff. Gigi Tagliapietra of Italian computer security association
CLUSIT, argued that managers need to personalise their message and build
a relationship of trust with their users, so individuals understand the
consequences of their actions.
Its all about continuity, simplicity and taking one subject at a time,
he said. People will do things if you show them why they should
corporate security depends on the individual because information is
Tagliapietra added that local government should be charged with the IT
security education of its citizens, because the safety of their
information should be at the heart of its democratic mandate.
Dirk De Maeyer, a security officer at KPMG in Belgium, argued that in
order to communicate security awareness campaigns more effectively,
firms should tailor their messages to specific user groups.
You have to recognise the target audience so for managers you should be
talking about the impact on budgets and the reputation of the company,
But such campaigns can be complex and time consuming, according to Arno
Fiedler of Nimbus Network. You need to keep it simple its not easy and
you need a lot of knowledge and budget to attempt it, he added.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com