The foundation of any computer or network security strategy is access control — providing those who should have it with access to resources on the network and keeping everyone else out. The basis of controlling access is to be able to verify the identities of those authorised users; otherwise any intruder can pretend to be chief executive John Smith or Mary Jones in accounting, and sign onto the network.
The simplest way of authenticating network users is to require that they enter a unique password tied to their user accounts. Theoretically, each user is the only person who knows his/her password so if the correct password is given, the user's identity is proven.
Password authentication is the method used by most small businesses. It's easy and cheap and built into the operating system. You don't have to buy anything extra to implement it. And it works — most of the time.
Most of the time is enough for many small companies with low security needs. If you don't have any important trade secrets, confidential client information (such as credit card numbers or credit histories), sensitive employee information (such as medical histories or social security numbers), etc. on the network, you might not need to spend money on a more secure authentication method.
Organisational growth increases security needs
The problem is that as companies grow, their security needs often increase. More and more of your business records are digitised; you get government contracts or move into regulated fields such as health care, financial services, etc. You incorporate and become subject to a whole new level of regulatory requirements, privacy protections, and so forth. Your organisation's profile becomes higher, so you become more of a target for hackers and attackers who had no interest in your network before. The company spreads out geographically and hires more personnel, and implements remote access solutions to allow employees to connect from home or on the road, so that it becomes easier for a stranger to blend in and penetrate the network.
At this point, you've probably begun to think about network security. You may invest in expensive firewalls and intrusion detection systems to thwart attacks. However, it doesn't take a genius hacker with top skills to get into your network. Many intruders do so not by writing exploit code but by using social engineering (people skills) to find out legitimate user names and passwords.
A technical solution for a social problem
Con men (and women) have been with us since the beginning of civilised society. Social engineering is not a technical problem — the software is working exactly as it's supposed to, allowing access only after identity has been verified with the correct password. It's a people problem: people can be intimidated, charmed, or tricked into revealing their passwords, either directly or indirectly. Education can help reduce instances of social engineering, but as long as human nature remains the same, some folks will always be vulnerable to it. There is, however, a technical solution.
