Do you remember the induction you were given when you started your job? From the many presentations paraded before you, do you remember the five-minute talk about the information security function?

There is a general belief that an induction presentation and the occasional email constitute mitigation against a range of threats.

But such a standard approach ­ – which usually concentrates on the risk of being duped into providing information and best practice guidelines on the use of technology ­ – is not good enough.

New employees are often left ill-equipped to deal with professionals who use proven psychological techniques to extract information.

Documents seized by the Information Commissioner’s Office (ICO) provide an insight into the market for unlawful personal data.

In one example, the ICO uncovered “literally thousands” of Section 55 offences, which refers to an area of the Data Protection Act that concerns the wrongful use of personal data.

Such practices generally glean information in one of two ways.

Conscious collusion involves techniques such as financial incentives, blackmail or the threat of violence.

Under such circumstances, the individual marked for the sting is fully aware of what is happening.

In unconscious collusion, the naivety of the mark is exploited. This is referred to as social engineering and is broken into two categories.

First, farming ­ – where the attacker builds a relationship with the mark at the target firm and uses manipulative techniques to extract information. The aim is to milk information over a long period of time.

Second, hunting ­ – the attacker uses manipulative techniques to extract information without establishing a relationship first. The attacker normally performs a single interaction and ends it after getting the data.

The ICO reports that media firms, insurance companies, lenders, creditors, criminals and people involved in matrimonial and family disputes are likely customers for such information.

In many cases, individuals making a request for information will aim to not stand out from normal social interaction.

Social psychologist Robert B Cialdini says there are six basic human compliance tendencies which successful social engineers aim to exploit:

• Authority ­ – We look to experts to show us the way forward.
• Liking ­ – The more we like people, the more we say “yes.”
• Reciprocation – ­ We feel obliged to return favours.
• Consistency ­ – We act consistently with our commitments and values.
• Social validation ­ – We look to others to guide our behaviour.
• Scarcity ­ – The less available a resource, the more we want it.
  

What can be done to prevent social engineering? Using simple induction courses to mitigate potential threats is not only inadequate but also provides a false sense of security.

Your approach to preventing information leaks should be multi-layered and include a mix of people, process and technology.

The first step is to understand the scale of the problem within your company, so any controls can be tailored to be more effective.

Raj Samani is vice president of communications for ISSA UK and a security consultant at Capgemini