Technology, at the end of the day, is only as secure as the person using it. You can have all the content filters and packet sniffing software in place across your network, but if there is someone viewing something he shouldn't be, there is little you can do. Another example. Install all the anti-virus software applications you can get your hands on and spend day and night to keep them updated. Put in an outgoing quota on your email server so that nobody can send attachment or receive .exe or zipped files. But if someone sends a link to a site which will inadvertently install a small server on your machine, there is nothing you can do to stop it.
You can buy the most secure system in the world at your disposal, but if you have a disgruntled person in your IT department, it is as vulnerable as a sponge. Footprints, access codes, loop holes and exceptions can all be masked into any system, and altering the log so that the knowledge of that backdoor is only known to the person creating it, is all a reality.
You access all your web accounts and even plug into your enterprise network using your cellphone. Like most people, you have your passwords saved. God forbid your cellphone gets into the wrong hands and you will have trouble recalling which accounts you accessed and which passwords you need reset.
Do you see a trend here? You should, because we're certainly not outlining the script from a movie. No matter what you deploy to secure your network and system, until you do something to secure and mobilize the human factor in any organization, you are going to always be vulnerable. And no, it doesn't matter whether your organization is small or large. As long as you have people, you are going to have ways to get into the system.
Social Engineering is something that gives true character and personality to a “smooth talker”. Someone who will use his or her social skills to get you to reveal critical packets of information which can be used to break down your business, is an increased risk in the corporate environment. Ever been in a situation where you divulged some confidential information to a friend or a confidante? Shown off a credit card that has your photo ID on it just so they can 'wow' at your smile? A casual conversation where you revealed some classified information to impress someone? In today's age of increased corporate competitiveness, there are more chances that it will be used to get into a network, gain access through a firewall and exploit an organization.
People! The biggest risk, in this case, is also the biggest asset in any organization. You obviously can't function without people in place. But security is not about code or software. It's about seeing the people and noticing a change in their behavior. If there is a modification, debug and defuse it before the problem causes irreparable and irreversible damage to the repute of the organization.
You do need to enforce policies in place and while these policies are there to protect the business, they are also implemented keeping in mind the behavior of the company's team members.
So next time you think about how secure your office or network is, take a moment to look at the office environment around you. The organization, network or security solution is only as strong as its weakest link.