It is a sad fact of life that even the trained gatekeepers of highly sensitive data are as susceptible to scam artists as Joe Public.

The U.S. Treasury Inspector General for Tax Administration (TIGTA) recently released a report with the results of a review on the susceptibility of Internal Revenue Service (IRS) employees to social engineering attempts — basic con-artist scams, such as pretending to be from the audit department or a senior executive — that could be used by hackers to gain access to IRS systems.

TIGTA had conducted similar social engineering tests in 2001 and 2004. In August, 2001, 71 of 100 employees targeted had provided user names and changed their passwords on request. In December, 2004, only 35 out of 100 employees succumbed. Progress seemed to have been made, and hopes were high for 2007.

After the 2001/2004 audits, recommendations were made to improve employee training, and publications were distributed with examples of social engineering attacks.

The not especially wily TIGTA auditors made 102 telephone calls to IRS employees in one day, "including managers and a contractor," posing as computer support help desk representatives. The undercover operatives asked for each employee’s assistance "to correct a computer problem and requested that the employee provide his or her user name and temporarily change his or her password to one they suggested."

Hardly in the first rank of deviousness, but the unimaginative scenario did the job — the auditors convinced 60 per cent of the 102 employees to do their bidding, despite the training materials and reminders in existence to ameliorate the problem since 2001.

The audit also revealed that managers were more lax than the rank and file, by a margin of over 12% — not an especially reassuring statistic for senior management.

I was relieved to see that neither of the two unfortunate employees targeted by the auditors in the Office of the Chief Counsel capitulated, but unfortunately one out of two employees in the Criminal Investigations office opened the kimono — not the type of healthy skepticism one would expect to see from that particular office.

A post-mortem exercise was conducted to try to understand why the errant employees gave up the password ghost without a fight, but the results are not especially illuminating. I imagine that the transgressors were not exactly thrilled to be called upon to explain the error of their ways, and thus may not have been especially candid in their responses.

A majority (about one-third) simply indicated that they believed what they had been told; 10 employees thought that changing their passwords was not the same as disclosing it, which they knew was against the rules; eight employees admitted to knowing the rules and doing it anyway; seven employees said they had, or were having, computer problems — as if that someone made it right; four employees were oblivious to the rules; and 11 employees provided no reason at all.

The 41 employees who passed the test were fairly evenly divided between skeptics who did not believe the scenario presented by the auditors, or they understood the need to protect passwords from "training programmes, e-mail advisories, or group meetings." Or maybe they just got lucky, or were in a grumpy mood.

TIGTA also evaluated whether any of the employees targeted had checked, after the fact, to see if the scenarios presented to them were legitimate, or if they alerted security that scam artists might be at work and a security risk imminent. Only one employee contacted the IRS computer security group, and the manager of the audit team received telephone calls from three employees to verify the calls were part of an official TIGTA audit; the TIGTA Office of Investigations also received contacts from four employees who had been targeted as part of the test.

TIGTA was rightly concerned that when attempts at social engineering are not reported to appropriate personnel, "the IRS cannot investigate incidents and take action to minimize the effect of a security breach."

What was abundantly clear from the test was that the corrective measures (e.g. education and outreach programmes) put in place in 2004 were ineffective to mitigate against the threat of social engineering attacks that might result in the exposure of highly sensitive taxpayer data, and result in instances of identity theft and other egregious consequences.

TIGTA concluded that IRS employees "either do not fully understand security requirements for password protection, or do not place a high priority on protecting taxpayer data in their day-to-day work."

Despite the discouraging results of the audit, TIGTA did not recommend that the IRS abandon training employees to improve compliance with corporate security policy. Rather, it suggested that employees be given an incentive to comply, such as by augmenting existing policy with disciplinary action, when security violations resulted from employee negligence or carelessness.

Clearly you don’t want to wield the big stick with employees unless you have to, but be aware that the stakes are high: cyber-criminals are as focused on business efficiency as legitimate operations.

If scammers can charm, bully, or bamboozle their way past your employees to get what they need to take you, or your customers, to the cleaners, have no doubt, that is exactly what they will do. And, in the process, they will make light work of all the expensive technology tools you have in place to protect critical data.

Don’t make it easy for them.