I believe its been over a year since I last wrote on this topic, but as is evidenced by this article and the recent Treasury report, Social Engineering is every bit the problem its been since long before Mitnick made it famous.
The social engineering tests discussed in this article score as follows:
2001- 71% Failure
2004- 35 % Failure
2007 – 60% Failure
What do these numbers tell you? To me it says a number of things. First, it might be a better idea to budget for a social engineering test more frequentyly than every three years. Second, testing and training is something (like systems patching) that must be continually performed and reviewed. As these numbers show us (granted these may be more a function of luck than anything else) an organization cannot rely on training to hold up over time. There simply is no other way around it. We’re fallible. I know CIOs who have fallen for social engineering tests. We forget and we need to be continually reminded.
I wonder how executive management would respond if they were told that any other aspect of their security infrastructure failed 60% of the time? Almost any organization’s greatest investment, and asset, is in their people, and yet the resources dedicated to their protection remain disproportionate.