An article in SC Magazine caught my eye today. It was on using social engineering techniques to reinforce the importance of security to employees. Article: SC Congress Canada: “Social engineer back” employees
“This could be interesting….” I thought to myself. And it was… And I was right there with them until I read this:
“…challenges with prizes, such as being the first employee to walk over to a co-worker’s unlocked computer to send an email from their account without them knowing.”
Seriously?
So let me get this straight. John Proctor of CGI Group is advocating that employees perform pen testing on each other and for gaining unauthorized access to email.
Again… Seriously?
It should be a violation of security policy, and perhaps state, federal and industry regulations (depending on the industry and the data), for an employee to leave a computer unattended. It is a vulnerability that can be exploited – obviously, not a good thing. In fact, I’ll go so far as to stay it’s a stupid and lazy thing for someone to do.
But…
…To tell untrained employees to exploit vulnerabilities?
…To take that step from identification of a vulnerability to an actual data breach, if the employee does not have the same access as the victim? Or worse, what if they accidentally (or maliciously) send sensitive data outside the company?
That’s negligent at best and criminal at worst.
I’ve got an idea… Let’s leave pen testing to the professionals and not encourage employees to hack into coworkers’ computers, ok?
