Opinion – Role of policies in mitigating security threats

Home National Opinion – Role of policies in mitigating security threats
Opinion –  Role of policies in mitigating security threats

Dr Kennedy Kaumba Mabuku 

What invisible vulnerabilities lurk within your organisation’s defences, waiting to be exploited by cunning adversaries? Are your employees unwittingly handing over the keys to your digital kingdom through social engineering tactics? 

In today’s digitally driven world, the spectre of cyber threats looms large, with social engineering emerging as a particularly deceptive tactic. 

Unlike traditional cyberattacks, which exploit system vulnerabilities, social engineering manipulates human psychology to deceive individuals within organisations. In institutions lacking a deep understanding of their role in addressing social engineering security threats, there persists a common misconception that the responsibility for mitigating such threats falls solely on individual employees.  This flawed assumption often leads to employees being inadequately equipped to recognise and respond effectively to social engineering tactics, thereby increasing their vulnerability to attacks. Conversely, institutions that possess a comprehensive understanding of social engineering develop and implement demanding policies that extend beyond individual responsibility, encompassing measures related to personal security. 

Gehl and Lawson (2022) defines social engineering as psychological manipulation to coerce individuals into disclosing sensitive information or performing actions that compromise security. Techniques include phishing attacks, pretexting, baiting, and tailgating—all exploiting human trust (Schwaninger & Ott, 2024).  This may remind us of instances whereby phishing emails mimic legitimate communications; tricking recipients into revealing confidential information or clicking malicious links has become common in Namibia.   I may be supported to a larger extent that the primary reason for such continuous attacks is related to a lack of specific policies to combat social engineering threats, leaving employees ill-prepared to recognise and respond to attacks. 

With this recognition, I may state that without clear guidelines on identifying suspicious communications, handling sensitive information, and reporting incidents, employees become easy targets. 

It is evident that many organisations in Namibia and elsewhere provide individual employees with institutional email addresses, allowing these addresses to be accessed from anywhere at any time. However, the absence of strong policies to minimise social engineering attacks leaves these employees vulnerable to various forms of exploitation. This lack of policy implementation likely contributes to the prevalence of attacks targeting end employees. 

Furthermore, it is crucial to recognise that every risk and mistake resulting in institutional costs can be attributed, to some extent, to employees. Understanding this underscores the importance of implementing policies to regulate and address social engineering threats, not only benefiting individual employees but also benefiting the organisation as a whole. 

In instances where individuals fall victim to social engineering, their performance may suffer due to the psychological toll associated with being targeted. Expecting high performance from employees who experienced such psychological manipulation is unrealistic and highlights a lack of understanding of the necessary conditions for a productive working environment.  Hence, phishing attacks necessitated by insufficient email security and lack of employee training, results in unauthorised access to sensitive data. On the other hand, pretexting calls, an attacker posing as an IT technician, persuading an employee to grant remote access, all these highlights the absence of identity verification protocols and social engineering security measures. 

Moreover, inadequate access controls enable insiders to steal proprietary information undetected. All these point out the importance of strategic leadership, which fosters security awareness through various measures and sets the tone for compliance.  In light of these considerations, how can leaders and individuals proactively address the omnipresent threat of social engineering? What specific measures can organisations implement to bolster their defences and mitigate the risk of falling victim to social engineering tactics? 

Furthermore, how can we foster a culture of security awareness and vigilance among employees to ensure collective resilience against evolving threats?  These questions challenge us to confront the reality of social engineering threats and inspire those in leadership positions to take decisive action to safeguard institutions, our data, and our future. In light of the profound security concerns that impact our existence, security underpins every facet of our lives, shaping our ability to thrive and progress. 

As such, the presence of strategic security managers becomes imperative to safeguarding our operations, assets, and personnel. Their expertise ensures proactive measures are in place to mitigate risks, enhance resilience, and foster a secure environment conducive to innovation and prosperity.

 

* Dr Kennedy Kaumba Mabuku shares these thoughts personally, independent of any security institutions. He can be reached at kennedymabuku@yahoo.com or 0814173100