In fact, all organizations
Social engineering is of course one of the central issues in this month's NoticeBored security awareness materials on human factors in information security. With people attacking people, it's self evidently about the human factors.
The announced contest is very restrained, with pre-set rules that limit the target organizations, the nature of the attacks and the types of information to be exploited. Anyone who believes criminal hackers using social engineering techniques outside of the artificial contest situation would respect such arcane rules is deluded. That's the real take-away lesson from this contest and the furore that surrounds it: if a bunch of social engineers really threatens your corporate information assets under the strict rules of the contest, then oh boy are you vulnerable to unethical attackers.
To give them their due, the FFIEC does advise clients to run security awareness and training activities:
"Financial institutions need to educate users regarding their security roles and responsibilities. Training should support security awareness and strengthen compliance with security policies, standards, and procedures. Ultimately, the behavior and priorities of senior management heavily influence the level of employee awareness and policy compliance, so training and the commitment to security should start with senior management. Training materials for desktop and workstation users would typically review the acceptable-use policy and include issues like desktop security, log-on requirements, password administration guidelines, etc. Training should also address social engineering and the policies and procedures that protect against social engineering attacks. Many institutions integrate a signed security awareness agreement along with periodic training and refresher courses."I'm relieved that they don't actually say "annual awareness training courses" there at the end, but unfortunately I'm sure that's how many of their more naive clients will interpret the advice. Annual courses are patently NOT the way to raise security awareness. They have never worked as intended, as anyone who has either run them or been forced to attend will surely agree. The change to ongoing/rolling security awareness programs makes all the difference. So if "periodic" actually meant "continuous", I'd support the FFIEC advice.
What do you make of the social engineering contest? Do you think it helps or hurts the cause for better information security? Comments are very welcome.