A network can be hardened against attacks from the outside, and most networking professionals are up to this task. Of course, it’s impossible to eliminate all risk, but the big ones can be accounted for and proactively defended against. With that being said, there remains a single risk that can never be completely mitigated - the humans on your network.
No Easy Answer to Social Engineering
Social engineering attacks are often the hardest to defend against because non-technical employees find it hard to conceptualize them. Telling an employee they shouldn't disclose information, except when requested by IT, is admittedly confusing. Consequently, social engineering and user error leads to indefensible attacks when users aren't engaged in a company’s security.
Social engineering attacks come in a variety of flavors. They can be as simple as asking who handles the paper shredding or coffee service. These crumbs may seem inconsequential alone, but together they can form a complete image of your internal workings that is invaluable to a potential attacker. When rolling out something to defend against these attacks, companies often fail in thinking like a malicious actor. Information deemed valuable to a company may not carry the same weight for an attacker. Even the brand of networking and firewall equipment at a particular location can provide a literal backdoor into a company.
It Won't Happen to Me. Things Like That Happen to Other People.
Social engineering isn't the only risk that users introduce to a network. Downloading files from the internet, or inserting a flash drive into their workstation can be just as devastating. The hurdle is that security professionals see these things as legitimate threats, but to the average user they sometimes come across as simple paranoia. To many, there is a measure of feeling that they won’t be the ones to fall for downloading a screensaver with a Trojan bundled in. No average user thinks that they could make such a mistake - things like that happen to other people.
Fixing the Problem
So how do you turn your click-happy employees into fearless network security warriors? The first step is to look at your security policy and assess how strict it is. An honest policy audit will help you determine next steps. After a thorough self-assessment, comes education. Employees can't guard against attacks if they aren't aware of what a modern attack looks like. For example, forget using passwords. Use a passphrase. Obviously the education needs to be engaging, but it also needs to be something that all employees can actively participate in. Unfortunately, this won't be a one-and-done situation. Periodic re-training and reminders will be absolutely critical to forming the right habits. Even if reinforcement is just a tip of the week, employees need constant reminders that the security of the organization depends, in part, on them. Mistakes will be made. The responsibility to minimize the impact lies with the internal IT team.
Battening down the hatches on your network is a daunting task, and all security professionals understand that there will always be a degree of risk. Firewalls and intrusion prevention cannot defend against an attacker manipulating an employee into giving a username and password, or a user downloading malicious software accidentally. Employees need to be informed and educated in order to prevent things like this from happening. They need to understand that the safety of a company’s assets isn't dependent on just a handful of people in IT, but on every user in the entire organization. It's your job to show them the light.