Here's a true story. An independent consultant was asked to test an insurance company's security. The insurance company had recently spent a considerable amount on upgrading their security - including installing a new IPS - and wanted to be sure that every door had been closed. The consultant was given no access to the company's office or computers - he had to work in exactly the same way that an external attacker would work. So, he put on some coveralls, took a toolbox and arrived at the company's office just as the lunch hour was ending. He walked through the keycard controlled door behind a member of staff who kindly held the door open for him. He found a printer, opened up his toolbox and acted as if he was carrying out some repairs. At this point, he could have hooked up a laptop and sniffed the network for interesting material, but instead he opted for a simpler approach. He walked over to an employee whose desk was close enough to the printer that she had been able to see him working, explained that he had serviced the printer and asked whether he could use her computer to run a test print and check that all was well. "Sure," she said. "Do you want a coffee?" Home run! Within 15 minutes the consultant had gained access to the building, gained access to the network and been able to download a selection of data to a USB drive while his coffee was being fetched.
The moral of this story is that security is as much about people as it is about technology. There's really no point in securing your network perimeter if an attacker can bypass that line of defence simply by walking through your door and sitting in front of a computer. Hardening your network against attack is not enough - you also need to harden your people.
Social engineering attacks, such as that outlined above, succeed for for one of 3 reasons. Firstly, the majority of people try to avoid confrontation - it's embarrassing to make somebody wait at the door while you check them out (and, heck, it could be an important client who'll complain to the boss about being delayed!). Secondly, most people are basically trusting - if somebody says that he's come to service the printer, then he probably has. Thirdly, many people are ignorant of the risks - they simply don't realise that sharing their passwords or writing them on a sticky note and attaching it to the underside of their keyboards represent significant security risks.
The introduction of a program of training and education will enable you to harden your staff. Don't just tell them what's expected, tell them why it's expected too. You'll find that your staff are far more likely to comply with policies if they know why they exist. You should also make it clear to your staff that they'll never find themselves in hot water as a result of having exercised caution - for example, tell them that it's ok to ask somebody to wait at the door while they find out whether that person is to be admitted.
In addition to educating your employees about risks, it's also important to train them to use whatever security software that you put in place. According to a recent study by the Verizon Business Risk Team, misconfiguration is a contributory factor in 15% of data breaches. Installing the latest and greatest security solutions isn't enough - you also need to make sure that your staff know how to configure and manage it properly. Hey, but we're a small business! Nobody would want to target us, right? Wrong! Chances are that your small business network would be a much easier nut to crack than an enterprise network. Unlike an enterprise, you probably don't have specialist security staff on your payroll - in fact, if your business is really small, you may not even have a dedicated IT staff. You probably don't have an IPS or an IDS. You probably don't contract a third-party to conduct penetration testing. You probably don't provide your staff with regular security awareness training. In short, your are probably a much softer target than an enterprise. And criminals, of course, usually go for easy targets - which is why is more people attempt to steal from corner stores than attempt to steal from Fort Knox.
To be effective, your security strategy must take account of people; if it doesn't, your investment in technological solutions will be severely undermined.