II. Management

Although advanced technologies have been developed to preserve information security, people are usually the weakest link in the security chain. That is why social engineering is still the most effective method getting around security obstacles.

Since the vulnerability is not only related to technology, social engineering is the hardest form of attack to fight against as it cannot be defended with hardware or software alone.

A successful defence depends on having good policies in place to ensure that all employees follow them.

1. Security Policy addressing Social Engineering

The fundamental level of defence is to set up relevant security policy against social engineering attacks. The security policy can help students or staff to defend against the psychological triggers of authority and diffusion of responsibility or moral duty.

The policy should explicitly set out the responsibilities for students or staff to exercise due care in detecting any potential social engineering activities before giving away sensitive information or privileged access.

2. Security Awareness Training for All Users

Once the foundation of a security policy has been established and approved, all staff or students should be trained in security awareness. Security trainings can make a difference in how staff or students apply the security policy in their real life.

The following areas should also be covered in the security awareness training:

  • Identification of valuable data or sensitive information related to the universities and their members in accordance with the information classification standard

  • Protection of valuable data or sensitive information based on the information handling standard

  • Necessary procedures required for detecting suspicious social engineering events

  • Escalation procedures of possible social engineering incidents and preservation of relevant evidence

3. Resistance Training for Key Personnel

Apart from the security awareness training delivered to all students and staff, more advanced resistance trainings should be offered to key personnel within the universities. Key personnel are usually responsible for provision of support to others especially the general public and possess most privileged access to universities' information systems.

 
Reference:
http://www.iwar.org.uk/comsec/resources/security-awareness/social-engineering-generic.pdf
http://www.sans.org/reading_room/whitepapers/engineering/multi-level-defense-social-engineering_920