Ava is supposed to “test” how employees fight off social engineering – by tricking them and stalking their social networks.
The implications are huge. Your employer may run a program on your corporate network, which finds out what your level of access is within your organization. It then finds out and tracks who you communicate with a lot via your corporate email and learns the patterns.
The next stage of this program is to test the individual’s reaction to social engineering and how much of a weakness they are. This is done by sending a “benign” phishing email or fake social message (yes, this means the system knows your private social media network, not just your corporate one), and then analyses whether you follow the procedure your company sets and whether you pose a threat to your company’s safety and security.
I’ve worked in the corporate world for all of my career and I cannot count the amount of trainings I have had to attend about policies and social engineering and phishing. Most of them were your standard corporate powerpoint presentation of “Don’t do this, it’s bad for our reputation”. Sign on the dotted line to show you’ve understood the training and get back to your desk.
And I understood the training. It’s normal. It’s part of the job.
This new proposal by a company called AVA based in New Zealand, however goes a step further. They have now formed a new committee to deal with the privacy implications, but as an employee – would you sign a contract that states that a program by a third party company can monitor your behaviour on social media and whether it complies with corporate policy?
AVA lets you “Safely inject security tests into your networks and monitor propagation in realtime. Instantly deploy automatic tests across email and social networks like Twitter, Facebook, and LinkedIn.”
Then, it lets you analyze in real time, which departments have understood the aforementioned security trainings and which of them have not.
Social Engineering is a great threat to privacy and integrity – there is no doubt about it. And employees and businesses need to be aware of that threat. One hacked facebook account of one middle-ranking manager within a company can wreck havoc among the entire company structure, and information could be shared, privacy could be breached.
AVA’s postition is, that security firms are comfortable with working to make technology more secure but somehow the buck always stops at human error and human vulnerabilities. You can have the best security software in the world, if someone shares their password or invites the person with the hot profile pic into their lives, that all goes down the drain.
In that regard, AVA has a good point. There is no real “software” to detect human error (even AVA is not that – it just detects the likelihood of a particular human’s error). The only software to protect companies and ourselves from this is the most complex thing in the universe: The human brain.
Maybe the training and testing should start there, and not with cat photos shared on facebook. Just a thought.