The Human Factor as a strategic point in Information Security

By October 18, 2019 No Comments

* Carolina Fernandes

Technology, Processes and People

It's the famous tripod that everyone needs to watch out for when it comes to achieving Information Security efficiency. Technology involves the tools and solutions for the prevention, detection and recovery of any security incident, processes implies all mechanisms, rules and procedures involved in the Information Security strategy, aligned with the business areas of the organization. And lastly, people, the central subject of this article and that will be addressed from here.

Social engineering

Information Security professionals consider the human factor the weakest link in relation to the other pillars (technology and processes). The reason is the existence of Social Engineering, an almost always effective method of attack where the social engineer uses persuasion to get the information or access (physical and / or logical) he wants. The main methods of this type of attack are:

• Baiting: This is a little laborious activity for the social engineer, he leaves some item or information available to the target, for example a CD or flash drive with a flashy name like “Promoted from next year” in a visible place that can generate a certain curiosity in the individual to induce him to insert the mobile device and perform the execution / installation of infected content contained in the media.

• Phishing: It is one of the most used and highly successful techniques, especially in the corporate environment. Key features in email phishing are possible requests for confirmation of an individual's identity, requesting updates and / or validating access to an application or website that requires you to click on a specific link or open an attachment and run the malicious content in order to steal the requested information. They often use emails from managers and employees who hold a high position within the organization to generate credibility upon request, these emails are hacked and the recipient will be the attacker who will receive the information improperly.

• Spear phishing: It is focused on some specific organization. The social engineer impersonates some high-level executive in the organization and approaches employees to get the information they need. The success rate of this attack is extremely high because employees often do not doubt or question their superiors within the organization.


Even though there are various methods of Social Engineering attacks, some basic attitudes prevent many of them.

• Be careful to talk about your organization's confidential or confidential information in public;

• Always make sure that the paper you are throwing away does not contain any confidential information that needs to be shredded and disposed of at a specific location;

• In the case of phone calls and emails, confirm the veracity of the contact before passing any information;

• Avoid posting too much information about your personal and professional life within social networks.

The investment in the item “People”

The success of Social Engineering depends solely on the user and / or employee being unable to identify the situation in which they are being exposed. For the Technology, Processes and People pillars to be effective, if it is necessary to invest heavily in the “People” item, this base will become a potential booster for the other two items. Efforts to invest in well-defined solutions, tools, policies and standards will be ineffective if your employee / user is not properly instructed. For example, not disclosing your password, sharing sensitive information to unauthorized persons, or even a lack of knowledge about existing company policies and sanctions. On the other hand, if the employee / user acts in accordance with all existing internal controls, understands the need for the organization, properly utilizes technological resources to protect information, and especially understands the importance of their role in relation to information security, controls applied to “Technology” and “Processes” will become more solid and consistent.

Organizations need to educate their employees to have the power to recognize potential threats. There is no perfect model that will guarantee people's empowerment of 100%, but some key points persist:

• Instruct the employee and show him or her real cases of how misusing social networks could lead to real vulnerabilities for the organization.

• Conduct awareness lectures, primers, and relaxed media such as games, quiz, and apps to strengthen information absorption.

• Periodically conduct employee testing simulating various types of attacks to verify maturity of understanding and commitment to Information Security. After the application and collection of results give a talk about how the organization would be affected if this attack were real and what would be the technical and administrative measures used to remedy this deviation. Remembering that employees must be aware of the disciplinary measures of the company, in case of improper information leakage.

Always keep in mind that the key to your organization's success will be to adapt your culture first, educate employees, and be aware of the importance of following good practice.

* Carolina Fernandes is a Trainee at Safeway Consultoria.

Regarding the [SAFEWAY]

SAFEWAY is an Information Security company, recognized by its clients for offering high value added solutions through Information Security projects that fully meet business needs. During these years of experience, we have proudly accumulated several successful projects that have earned us credibility and prominence in our clients, which constitute in large part the 100 largest companies in Brazil.

Today through more than 17 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.

Let's make the world a safer place to live and do business!