Winn Schwartau has been writing, lecturing and consulting on security for more than 25 years. The founder of The Security Awareness Company says while technology has changed, the most influential factor in security has not, the employee or end user.
"We don't touch networks, we touch people," says Schwartau. "Because, in the end, the weakest link in all of this stuff is the person at the keyboard."
Schwartau says security managers are up against a combination of ignorance, apathy and arrogance when it comes to individual awareness.
"One thing we've recognised over the last several years is the user doesn't care about the company. He cares about his paycheck, his review, his incremental raises," he explained. "A lot of companies claim to have some kind of policies about user behaviour, but given the political correctness of the world, even if you have a policy that says 'Don't do this or you'll pay the piper', generally the piper doesn't get paid."
Schwartau ran through some memorable moments he's encountered in his decades consulting in security awareness training. Social engineering, he says, has new players and forms, but the underlying techniques usually remain the same.
The postman rings, security pays the price
We had been hired by a large financial services firm in New York to do security awareness training. We wanted to do an assessment of where people were with awareness based upon all of the training and policies they had going on prior to our involvement with them. So we created a social engineering test.
It was not the traditional 'call someone on the phone and try to social engineer them.' What we did is take their letterhead and write a letter. We sent it through regular mail to about 30 percent of the employees. Approximately 1200 people. The letter said essentially: "Hi, we're from corporate information security. The reason you are receiving this letter is because we know social engineering occurs at work and we are going to upgrade our systems. We then went into some detailed technical babble about how we were going to migrate this database to this, and a lot of stuff the average person is just not going to understand.