reply to discussion post below CMIT

What, according to you, are the necessary countermeasures for preventing social engineering and identity theft?

Social engineering is described a few different ways but it basically means tricking people in to giving up sensitive information about themselves, other people, or their company/network. Norton describes social engineering by saying “Social engineering is the act of tricking someone into divulging information or taking action, usually through technology. The idea behind social engineering is to take advantage of a potential victim’s natural tendencies and emotional reactions.” (Norton)

In my mind there are two main avenues of approach for countermeasures against social engineering and identity theft. They are infrastructure and training. Infrastructure would refer to things like the practice around waste at a company. Some people go dumpster diving to try and gain information about people to gain access to their identity or their company. Shredding documents and making sure old computer systems are handled correctly can prevent some of this from happening. Implementing firewalls is the other part of infrastructure. Keeping as many of the bad actors and malicious code out of the network and away from the people is the goal here.

Training is the big one here though. People remain the biggest threat to themselves and the companies they work for. Clicking on unknown links from emails, leaving their passwords lying around, answer emails with passwords and usernames that seem like they are from the company without verifying. All of these can be prevented with some basic and consistent training on best practices for employees. If someone gets an email requesting sensitive information, they need to check with the actual source to make sure they are actually requesting it. Typically it is not the real company.