Businesses that lose data in attacks using social engineering typically blame employees, but that is often extremely unfair, says US-based internet security expert Ira Winkler.
"The real problem is weak security procedures, but individuals tend to get blamed because it makes executives look better," he told attendees of RSA Conference 2010 in San Francisco.
Winkler, who is president of the Internet Security Advisors Group (ISAG), cited an example of how he was able to gain access to a corporate server room.
He simply called the company's reception desk and ordered an access card to be issued by posing as a company executive and then later claimed the access card.
"The company wanted to blame the staff involved, but the problem was that the process for issuing access cards did not require authentication of people requesting and receiving the cards," he said.
After the weakness was exposed, the company demanded to know who had been responsible for issuing the cards, proving there were no tracking processes in place, said Winkler.
Employees manipulated in this way are not to blame, he said, but by shifting the blame, executives hide the fact that they have failed to implement robust security procedures.
"The problem is that when individuals are blamed, the processes often remain unchanged and the vulnerability remains," said Winkler.
Many so-called social engineering attacks could be prevented simply by ensuring that processes are robust and include proper authentication and tracking mechanisms, he said.