Two policies that can be enacted to help prevent social engineering via phone calls are-
Sharing of Sensitive Information on Phone Policy
“Sensitive information of <Company Name> will not be shared with an unauthorized
individual if he/she uses words and/ or techniques such as the following:”
- An “urgent matter”
- A “forgotten password”
- A “computer virus emergency”
- Any form of intimidation from “higher level management”
- Any “name dropping” by the individual which gives the appearance that it is coming from legitimate and authorized personnel.
Social Engineering Personal Training Policy
A policy which specifies who gets trained, and how often, and training material to include awareness of attacks from people who
- Claim to reporters
- Sub-contractors
- Employees (former and current)
- Strangers who use seduction/ego-stroking methods
- Vendors
- Vendor Customer Support etc
However, the obstacles in implementing these policies could be-
- Human nature – people are vulnerable to social engineering attacks – they are the weakest link in the security chain for a reason
- Costs involved in training
- Increasingly sophisticated attacks – makes it hard to keep the training up to date