Manipulation

Protecting an organisation's information is the responsibility of all staff, and to be fully effective it requires regular security training to help staff guard against attacks on information.

Sometimes deliberate attempts are made to acquire information or access by manipulating staff by using a range of influencing techniques. This is sometimes described as 'social engineering', creating situations in which someone will willingly provide access to information, sites or systems to someone unauthorised to receive it. Customer facing personnel who have been trained to be helpful and informative can be particularly vulnerable to such attacks (for example receptionists, IT helpdesk staff).

The techniques are often very simple, exploiting basic human tendencies such as the desire to return a favour or to help a colleague in need, but they can be used with damaging effect. Attackers may try to gain information piecemeal over a period of time, asking for small favours or gaining information through seemingly innocent conversation. Determined attackers prepare well, learning about a company's structure and language in advance. They might pretend to be a co-worker, a new employee or a delivery person. They might send emails with attachments containing malicious code or pretend to have lost their computer password.

Methods of defending against this sort of attack include the following:

• provide specific training in detecting manipulative attempts to frontline and customer facing staff.

• warn all staff to be alert to anyone asking for sensitive or restricted information

• be alert to an unknown enquirer who tries to extract information in a rush, with intimidation, emphasising authority or refusing to give contact details