After we learned in a brief what is risk management we can dive into what is social engineering risk management.
What is risk management for Social Engineering?
Every company have electronic equipment and people to operate this machine.
If you look at your servers, Laptops, Firewalls, Routers, Mobil phones, and faxs as the stuff. Stop reading now. But you don’t. You do an asset list, with specific risk for each asset, mitigation plan and monitoring.
Same you need to do with your employees - it’s not one piece, give me 20 pieces of employees. You have your paranoid IT guy that uses the terminal to read emails, and on the other hand you have double click Dave, that double click any link.
Today you aggregate them into one daily course and expect to have any meaningful results. You need to to build your assets list, KYE ( Know your Employee ), to see what they like, what they don’t like, to see what their understanding of the risks they have on day to day life, you need to see what tools they use, how they bypass your restrictions.
And then, you need to assess what is their knowledge, and test them.
Third step you need a mitigation plan, what your paranoid IT guy is missing because of over paranoia, Why does Double click Dave, double click every email twice? How you can personally teach any of them about Social engineering risks?
And finally, you need to monitor that, you need to see if those classes actually solved it on the day to day life, you need constant cycles of testing & training.
As the CISO, you can’t look on your employees as the piece of equipment, each one bring personalized set of risks, you need personalized solution.