A security-aware culture must include ongoing training that consistently informs employees about the latest security threats, as well as policies and procedures that reflect the overall vision and mission of corporate information security. This emphasis on security helps employees understand the potential risk of social-engineering threats, how they can prevent successful attacks, and why their role within the security culture is vital to corporate health. Security-aware employees are better prepared to recognize and avoid rapidly changing and increasingly sophisticated social-engineering attacks, and are more willing to take ownership of security responsibilities.
Official security policies and procedures take the guesswork out of operations and help employees make the right security decisions. Such policies include the following:
Password management: Guidelines such as the number and type of characters that each password must include how often a password must be changed, and even a simple declaration that employees should not disclose passwords to anyone (even if they believe they are speaking with someone at the corporate help desk) will help secure information assets.
Two-factor authentication: Authentication for high-risk network services such as modem pools and VPNs should use two-factor authentication rather than fixed passwords.
Antivirus/antiphishing defenses: Multiple layers of antivirus defenses, such as at mail gateways and end-user desktops, can minimize the threat of phishing and other social-engineering attacks.
Change management: A documented change-management process is more secure than an ad hoc process, which is more easily exploited by an attacker who claims to be in a crisis.
Information classification: A classification policy should clearly describe what information is considered sensitive and how to label and handle it.
Document handling and destruction: Sensitive documents and media must be securely disposed of and not simply thrown out with the regular office trash.
Physical security: The organization should have effective physical security controls such as visitor logs, escort requirements, and background checks.