Assignment Week 10 – BD308 – Hilma Aulia – 2581494366

Nama : Hilma Aulia Daffa
NIM : 2581494366

Pertanyaan:

  1. Define “social engineering” and provide three examples (e.g., pretexting, baiting).
  2. What are the key components of a good security awareness training program for employees?
  3. How can a simple “clean desk” policy contribute to the overall security of a business?

Jawaban:

1. Rethinking Social Engineering: Why Humans are the Weakest Link

When we talk about cybersecurity, most people immediately think of complex code or sophisticated firewalls. But honestly, the most effective way to break into a system often has nothing to do with software at all. It’s about social engineering—which, in plain English, is just a fancy way of saying “manipulating people.” Instead of looking for a bug in a server, attackers look for “bugs” in human psychology, like our natural tendency to trust others, our curiosity, or even our fear of getting in trouble. It’s basically hacking the person behind the screen to get around even the best security settings.

To give you a better idea of how this actually looks in the real world, here are a few ways it usually plays out:

Take Pretexting, for instance. This isn’t just a random lie; it’s a whole scripted scenario. An attacker might call you up pretending to be a frustrated IT guy or a bank representative dealing with a “system glitch.” They create this sense of legitimacy—the pretext—so that when they ask for your ID or account details to “fix the problem,” you don’t even think twice before handing it over.

Then there’s Baiting, which is surprisingly low-tech but effective. It plays on our curiosity. Imagine someone just “accidentally” drops a USB drive in a company parking lot with a label like “2024 Bonus List” or “Confidential Resignations.” Most people would find it hard not to take a peek. But the moment that drive hits a computer, it’s game over—the malware is already in. It’s a classic trap: the promise of information is the bait, and the victim does the attacker’s work for them.

And of course, we can’t ignore Phishing, which is probably the one we all see in our inboxes every day. It’s the bread and butter of social engineering. These emails are designed to look like they’re from someone you trust—your boss, Netflix, or your university. They always include some kind of “urgent” call to action, like “Your account will be deleted in 2 hours” or “Unauthorized login detected.” The goal is simple: get you to panic just enough that you click a shady link or download an attachment without checking if the sender’s email address actually makes sense.

At the end of the day, social engineering works because it’s much easier to trick a human into giving up a password than it is to brute-force a password through encryption.


2. Building a security awareness program that actually works isn’t just about making people watch a video once a year so HR can check a box. If we want to move the needle on company culture, we have to treat security as a habit, not a chore.

The most important shift is moving toward continuous, “micro-learning” sessions. Honestly, nobody remembers a 40-minute lecture from six months ago, so it’s much better to keep things short and frequent. It keeps security at the back of everyone’s mind without being a total drain on their schedule.

Then there’s the practical side—like phishing simulations. These are great because they provide that “teachable moment” right when someone actually clicks something they shouldn’t have. It makes the risk feel real. But it’s also important that this training isn’t one-size-fits-all. A finance person is targeted very differently than someone in HR; while one needs to look out for wire transfer scams, the other is constantly opening resumes that might have hidden malware. The content needs to reflect those specific daily risks to be relevant.

We also have to think about how people actually learn. If everything is just a wall of text, people will tune out. Mixing it up with quick quizzes, posters, or even short videos helps the message stick for different types of people.

Beyond the tools, though, the “vibe” of the organization matters. There has to be a culture where reporting a mistake is encouraged. If an employee is terrified of getting fired for clicking a link, they’ll just hide it until it’s too late. Something as simple as a “Report Phishing” button can empower them to be part of the solution rather than the weak link.

Ultimately, none of this sticks if the people at the top don’t care. If executives skip the training or ignore the rules, the rest of the staff will too. Real security starts when leadership shows that protecting the company’s data is a collective priority, not just an IT problem.

 

3. Rethinking the “Clean Desk” Habit: Why It’s More Than Just Office Tidiness

At first glance, a “Clean Desk” policy might sound like just another corporate rule to keep the office looking neat. But if we look closer, it’s actually one of the simplest yet most effective ways to guard sensitive info. The idea is basic: clear your workspace of any sensitive data before you head home or even when you’re just grabbing coffee. It sounds like a chore, but there are some really solid security reasons behind it.

  1. Stopping the “Quick Look” One of the biggest risks is actually the most casual one. Think about how many people walk through an office—maintenance crews, visitors, or even people from other departments. If you leave a sticky note with a password or a printed client list just sitting there, anyone can snap a photo or take a quick peek in seconds. A clean desk basically removes that “low-hanging fruit” for casual theft or “shoulder surfing.”

  2. Tightening the Circle on Internal Risks We don’t like to think about it, but sometimes the threat comes from inside. By making it a habit to file away physical documents, we’re essentially making it much harder for someone—whether they’re disgruntled or just opportunistic—to get their hands on intellectual property or personal data (PII). If it’s not out in the open, it’s a lot harder to steal.

  3. It’s Not Just a Rule, It’s Often the Law For anyone working in fields like healthcare or finance, this isn’t just a “nice to have” thing. Regulations like GDPR or HIPAA actually demand that we protect data strictly. Following a clean desk policy is a practical way to stay compliant with those heavy standards like ISO 27001 without overcomplicating things.

  4. Building the Right “Security Reflex” There’s also a psychological side to this. When you get into the habit of clearing your physical desk, that mindset usually carries over to your digital space. You’ll find yourself hitting Win+L or Cmd+Ctrl+Q to lock your screen almost automatically whenever you stand up. It builds a general culture of being alert.

  5. More Focus, Less Mess Finally, on a more practical level, a clear workspace just feels more professional. It’s hard to stay focused when you’re buried under a mountain of paper. Minimizing clutter doesn’t just look better for the company; it actually helps you stay organized so you’re not constantly losing important files in a pile of junk.

TerimaKasih^^

Previous Post Previous Post
Newer Post Newer Post

Leave a comment