The Weakest Link

Most organizations have implemented a plethora of technological security solutions in the form of firewalls, network monitoring, anti-virus, real-time log monitoring and all the other requisite technologies. The PCI Data Security Standard is predominantly focused on these technological solutions and their appropriate care and management.

Regardless of all of the technology solutions for securing sensitive information, people still interact with this information for the purpose of getting their jobs done. The PCI Data Security Standard recognizes this and directs organizations to minimize the number of employees with access to sensitive information. In addition, Section 12.6 ensures that a security awareness program exists, that employees are periodically reminded of their responsibilities to protect cardholder data and that employees attend at least annual awareness training.

Organizations have not done themselves any favors in this area. For more than 20 years, organizations have based their customer service training on the premise that it is cheaper to retain an existing customer than to court a new customer. This training neglects the fact that some customer requests are made with ill/bad intentions—and it therefore does not encourage employee skepticism of customer requests.

Traditional customers aren’t the only people employees are trained to provide exceptional service for. Internal client servers, those who work at the help desk or even the receptionist, are encouraged to bend over backwards for other employees as well. In our customer-focused society, everyone is tripping over themselves to be the most helpful. To make matters worse, most organizations reward customer-focused activities through employee incentive programs. Employees must learn to consider the ramifications of what their assistance may put at risk., and that’s what’s missing in our customer service training.

This lack explains the recent rise in social engineering attacks. Organizations have most of the technological security solutions, but they have not focused on the threat their own employees present. Social engineers use this to their advantage and obtain user identifiers and passwords, account numbers, encryption keys and other sensitive information just by leveraging an organization’s customer-centric service philosophy.

Disgruntled employees also threaten the practicality of the customer-centric philosophy. Not all of these people are necessarily on the firing line. At their worst case, they can be everyday, reliable employees who hold a grudge. However, when they decide to act, a disgruntled employee only cares about extracting revenge. And they will do whatever it takes to extract that revenge such as destroying records, releasing sensitive information or even murdering other employees.

This is why section 12.6 is a vital section of the PCI Security Assessment Procedures. Security awareness programs are one of the most important aspects of minimizing social engineering activities. However, the tests suggested in the current PCI Security Assessment Procedures are just a start. In order for organizations to truly have an effective security awareness program, reminding employees of their responsibilities is just not good enough. Social engineering testing must be conducted periodically against random groups of employees to ensure that all of the awareness training is put into practice. Without testing, it’s anyone’s guess how well an organization’s awareness training is working. That is why, in future releases of the PCI Security Assessment Procedures, I expect to see section 12.6 expanded as attacks move from the technological back to social engineering and, eventually, hybrids of both.

Is social engineering testing a silver bullet? No. Regardless of how much training and testing an organization does, people are fallible. It’s human nature. But a good awareness program with social engineering testing minimizes the risk to the organization from social engineering attacks. That’s more than customer service training alone can do.


0 Responses to “The Weakest Link”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


February 2009
    Mar »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,941 other followers


%d bloggers like this: