Evaluating Employee Security Awareness and Adherence to Policy

Delta Risk’s Social Engineering Assessments, which include facility and physical security as well as phishing tests, deliver an objective evaluation of your employees’ awareness, training, and policy adherence. Social engineering is a collection of techniques for intentionally manipulating people into providing inappropriate access to sensitive or exploitable information, information systems, or workspaces. It may involve a completely non-technical form of intrusion or cutting-edge technology, but the key is that it depends on human interaction for success—or failure, depending on your perspective. Very often, it involves tricking people into compromising normal security policies and procedures by exploiting the typical human desire to be friendly and helpful and to avoid confrontation.

Delta Risk offers a wide range of services designed to address these issues, including:

Physical Security

• Site security architecture
• Entry / Perimeter testing (access, employee awareness, gatekeepers, guards, receptionists, etc.)
• Sensitive area / Data center unauthorized access
• External equipment removal

Sensitive Information Handling

• External sensitive information handling (work areas, conference rooms, white boards, etc.)
• Document disposal procedures (“dumpster diving”)

General Employee Awareness

• Phone-based social engineering
• Email-based social engineering
• Unknown removable media handling (technical data leakage)
• Workstation access

Questions to Ask

• Do your employees realize the potential danger of simply holding a door for someone?
• Do they understand the importance of keeping their desks clear of confidential documents and their workstations locked when they walk away from them?
• Do they consistently shred sensitive documents instead of placing them in the trash?

No information security program can be successful without considering the “people factor.” The weakest link in many security programs are the people who must interact with and use systems and applications every day, whether as customers or employees or both. With active social engineering testing, you can assess the strengths and weaknesses of not only your digital security, but your physical security programs and controls.

As part of each assessment, Delta Risk delivers a detailed report outlining your strengths and weaknesses. We often uncover socially-oriented vulnerabilities, and then document them through text and images that show our facility penetration, papers harvested from trash receptacles, and important data pieced together through online sources. Most importantly, every Delta Risk report contains actionable recommendations for resolving each issue.

Offering extensive experience with social engineering assessments—and an eminently flexible approach to service delivery—Delta Risk is your best choice for addressing employee awareness, training, and education.

Is a Social Engineering Assessment Right for You?

• You want to understand the effectiveness of your employee security awareness initiatives
• You want to find out how vulnerable your employees are to phishing attacks
• You need to evaluate the completeness of your security policies and procedures
• You need to determine if a motivated intruder can get physical access to your facilities
• You need to know if an intruder can gain access to sensitive work areas, documents, or information systems

Service Features

• Remote data leakage analysis and on-site reconnaissance
• “Dumpster Diving” and sensitive document handling and disposal tests
• Facility security testing, employee email and telephone “phishing” tests
• Found and implanted device tests, such as removable USB flash drives
• Desk-checks, visitor check-in and escorting, and security guard effectiveness
• Detailed post-assessment report with actionable recommendations