It doesn’t always have to be a pen test. Cordially, pen tests are not going to save you. Constant reinforcement of security ideals and security practices are what’s going to keep you safe. It’s ideal to have an employee just walk through the area making sure the Clean Desk Policy is being enforced, making sure no passwords are written underneath the keyboard, making sure they’re not posted on the monitor, doing those kinds of things.

Because even if you find nothing, people see that, and in that instance they realize: “Oh, they’re looking to make sure the area’s secure. I have to keep making sure my area’s secure as well, because I don’t want to be called out in a negative way saying that I was doing something
unsecure, because that would go to my manager, my supervisor.”

If company is compromised, it mostly happens from the CEO. Because when the bad guys are attacking, when they’re going after your company – they’re not going after the mailroom, they’re not going after the clerk or the entry level person, they want to go after the CEO, they
want to go after the CIO. Why? Because usually top managers think they deserve an exception to the security policies. They may not need antivirus software updating all the time because they crash the system or it runs too slow. They don’t have to use the two-factor authentication token, they just have to use their password. They don’t have to have the password minimal length and special character requirements everybody else in the company does. They just want it to be their first name so that it’s easier for them to get in.

And when the company is compromised, they’re not going to come back and say: “Oh, my bad.” They’re going to be: “Why didn’t you protect me from myself? Why weren’t you doing the job that was protecting me from me harming the company?” So that’s one of our responsibilities as
well, telling the executives things they may not really want to hear. But that’s what we have to do, because we’re trying to protect the company from the human element.

Socially Engineer Your Employees

Basically you want to socially engineer your employees and your environment in order to protect the company from social engineering. Make the people more conscious, suddenly change the environment so that people are more suspicious, that they are more questioning of what’s going on. They must question things that may be out of the ordinary.

Usually after compromising a network or a company, most pen testes see and feel by people’s facial expressions, by their body language that they were suspicious but still let the intruders in. Later on, after the pen test workers say: “Yeah, I knew there was something not quite right, but he said he was supposed to do this, I didn’t want to challenge him.”

It is guaranteed next time they’re going to challenge. Next time, and it is part of inoculation, it is giving them that encouragement, giving them that kind of courage to stand out and say: “Hey, this doesn’t seem right. I’m going to question you.” People need to understand they have to do something in such situations, call the security, call the police, call someone, react to it in some way, not just ignore it. And that’s one of the key things that employees have to understand. They don’t necessarily have to confront the situation, but it is an imperative and part of their responsibilities to report the situation.