According to Kevin Mitnick, training of employees and creating awareness about Social Engineering is the best security strategy. On the other hand, the article ‘Is Security focused on wrong problem’ explains how employee awareness training and pen testing can only get
so far and adopting a new approach ‘know thy data’ might be the key in reducing social engineering attacks. I believe knowing your data is secondary, what matter is how much the employees understand the information security policy and follow it. Employees need to understand the policies as policies are just written statements; they mean nothing until employees understand it. This can only be achieved with proper training and guidance, as no employee is completely aware of the threats to the company information or the information they handle. In my opinion, security policies are like rubrics, how students require a rubric to complete an assignment, likewise, employees require guidelines to handle company information. In absence of these guidelines, employees rely on their judgment which often leads to giving away of information which they shouldn’t.
As stated in the second article “know thy data’ approach might bring us a step closer in fighting social engineering attacks but I feel it would not be effective without understand dangers and