One of the things that constantly comes up when you start taking the security of your computer systems seriously is the simple fact that your users are the weakest part of any security policy. You can spend all day working out intrusion detection systems, firewalls, nearly impossible to crack passwords, and doors with five levels of authentication, but when your security guard holds the door open for the pizza guy, you have a problem.
This is a type of hacking called “Social Engineering” and it can undermine all your work in a hurry. In general, people are trained from birth to be helpful and trusting, and hackers are going to take advantage of that. It ranges from the guy that tailgates behind an employee, to the admin that has the administrative password on a stickie under the keyboard because the password is too hard to remember. It also includes seemingly innocuous questions about the company or that innocent “I forgot my password” problem that a “user” calling the helpdesk is having.
So the real question is; How do you protect your company against a social engineering attack? In one word, Education. You need to make sure that your employees are properly educated in how to recognize and deal with social engineering attempts. For example, with physical security problems like tailgating, make sure they understand that holding the door for someone is not an option. They may even know the person, but what if the attacker is an ex-employee and they didn’t know?
At the end of the day, just remember that proper training and education of your employees will do wonders for your company’s security posture. It is also one of the most important aspects of security that gets left behind. Remember, most employees aren’t trained to worry about “Security” and think that it is someone else’s job. It’s your job to make sure that they think otherwise.