The first line of attack upon any organization’s assets is usually the trusted internal employees, the employees that have been given access to the internal resources. As with most things, the human factor is the least expected and easiest to exploit. Trusted employees are either corrupted or fooled into accidentally giving valuable information that helps attackers.
Because of the high level of confidence placed in employees, they are the weakest section in any security chain. Attackers will usually “mine” data from employees either by phone, by the computer, or in person by getting information that seems innocuous by itself but gives a complete picture when pieced together with other pieces of information. Companies that have a strong network security infrastructure may find their security failed if the employees are satisfied to reduce security levels or disclose sensitive information.
One of the most powerful strategies to fight this exposure of data by employees is education. When employees understand that they shouldn’t give out secret information, and know the causes why, and know that they will be held responsible, they are less likely to accidentally help an attacker in collecting information. A good security awareness program should involve communications and periodic reminders to employees about what they should and should not reveal to outside parties. Practice and education help decrease the threats of social engineering and information leakage.