59































                                         FIGURE 1. JETTON’S RAMPART DE TROIKA.


          Awareness
          Awareness is the first step in confronting social engineering threats.  Here, a user is introduced to the tactics
          of the social engineer, such as vishing (telephone), phishing (email), and smishing (text) exploits.  Within
          this  step  users  must  learn  the  value  of  information  as  well  as  sources  of  exploitation  used  by  social
          engineers.

          Training

          Training is the next step. Once awareness is created, users learn what to do and what not to do. Users learn
          to not only protect their valuable company information but to also actively defend against engaged social
          engineers.

          Training Musts:
           Whether conducted in a classroom or online, training must be as hands-on and realistic as possible.

           Training must be consistent, which means everyone at the company must have the same information and
              guidance.

           Regardless of whether training is internally or externally sourced, it must reinforce what the company
              values and deems important while teaching users how they can avoid and/or mitigate social engineering
              techniques.

           The  training  should  cover,  at  a  minimum,  disclosure  of  personal  information,  policy  review,  effective
              destruction of old data, credentials, challenging individuals, physical security and techniques/motivations
              of the social engineer.

          The standard should be no less than quarterly training, so that skills and vigilance do not diminish over time.