Paranoia Is Not Enough

Some time ago, The Wall Street Journal interviewed Chris Hadnagy, the CEO of Social-Engineer, Inc., a firm that specializes in improving corporate communication security. Part of Hadagny's job is to obtain sensitive information from his clients' employees as a means of testing their knowledge and practices, and towards formulating recommendations for improvements. His job sounds remarkably easy, thanks to social media, workplace stress, and distraction:

WSJ: What are the signs [of social engineering] you have people look for?

MR. HADNAGY: That's a harder one. We try to teach critical-thinking skills. Do the questions seem to match the call? Why would HR need to know what operating system you're on? Why wouldn't the IT guy know what antivirus you have?

There also is a very simple fix but really hard to institute. On the intranet you make up a color, say, cyan or yellow. That's the color of the day. Only the people internal to the company should know that. I call you and I'm the tech guy. You ask me what the color is.

It might be tempting to regard improved security as easy, if only more people would think critically. That might be true, but the specialist admits to have been tripped up recently himself. I have trained myself to view requests for certain kinds of information very skeptically, but this interview shows how easy it can be for someone to fake credibility in any moment we might be off-guard. As Hadagny states elsewhere, continual improvement of knowledge is an invaluable complement to critical thinking.

-- CAV