Why test user behaviour in your company?
Your workforce constitutes both your most efficient line of defense and a major entry point for attackers. It is widely accepted that the human factor is often the weak link of any information system security-wise. If you have already adopted an awareness program, for instance through our online or on-site trainings, and consider evaluating the progress your users have made, a social engineering campaign can constitute an excellent benchmark.
Social engineering campaigns
A social engineering campaign is usually carried out on a limited set of users (of your choice, or based on our assessment). The goal is to attempt to abuse users’ good faith to have them perform certain actions and acquire information (e.g. passwords) through several techniques. One standard scenario is the “clicking test”. Its purpose is to check whether a user is ready to click on a link that is embedded in an illegitimate email, and in a second step whether it is possible to elicit information from him/her.
Each social engineering campaign is entirely customizable, and different scenarios with varying complexity can be implemented:
- Phone calls from a fake IT helpdesk or provider.
- Fradulent emails from an alleged partner or provider of your company.
- Scenario involving USB devices (e.g. malicious USB keys delibaretely “lost” in your premises, USB “goodies” sent by post to your users).