The USB Stick at the Front Desk: Security Awareness in Mid-Sized Companies
Social engineering costs next to nothing yet causes losses in the millions. Why security awareness is the cheapest line of defence, and what ISO 27001 requires.
In short
Social engineering bypasses every firewall and every EDR system because it attacks people, not technology. ISO 27001 Annex A.6.3 mandates security awareness training as a documented, auditable requirement. The cheapest and most frequently underestimated line of defence in a mid-sized company is an informed employee.
Auf Deutsch lesen: deutsche Fassung
Imagine someone finds a USB stick in the company car park. It has a corporate logo on it, or nothing at all. They plug it in: out of curiosity, because they think they might be helping a colleague, or out of pure reflex. That is the attack. No zero-day exploit. No month of preparation. No team of hackers. Just a USB stick and human curiosity. I have seen this pattern across several industries, not always with USB sticks, but always with the same root cause: a person who did the obvious thing, and an organisation that had never talked about it.
The cheapest attack tool there is
Social engineering costs the attacker almost nothing. A phishing email costs pennies. A phone call impersonating IT support costs minutes. A printed USB stick costs less than a coffee. The attacker needs no sophisticated exploit and no budget for attack tools. What they need is a credible story and a target that does not know what to watch out for.
That is what makes this threat so insidious: it bypasses every technical defence. The most modern firewall is irrelevant once someone voluntarily opens the back door. An EDR system that recognises every known malware signature is useless when the attacker is sitting inside the system with genuine credentials: authenticated, inconspicuous, holding the same rights as the legitimate user. Technical security protects against technical attacks. Against the phone call from the fake IT support, the only protection is a person who knows how it sounds.
The data is unambiguous: social engineering is the point of entry in a substantial share of all documented data breaches, not a technical vulnerability. The way in usually does not run through a gap in the software, but through a gap in the human being. This knowledge is not new. Yet in many mid-sized companies it is systematically ignored, or ticked off with a mandatory annual click-through in an online course.
Social engineering: the variants I see in audits
The repertoire is broader than most people think. And in no case does it require technical skill on the attacker's side:
- Phishing emails that appear to come from IT support, HR or senior management and ask for login credentials in order to verify an account or approve an urgent payment.
- USB drops: sticks are deliberately left in car parks, canteens or in front of entrances, often with an enticing label (Q2 salary overview or a company logo).
- Vishing: callers pose as a system supplier, the IT department or a public authority and demand remote access, passwords or transfers.
- Invoice fraud: shortly before a payment run, an email arrives supposedly from a supplier, with changed bank details. The difference from the genuine sender is barely visible.
- CEO fraud: emails that look like internal instructions from senior management: urgent, confidential, please transfer immediately, no callback needed.
- Tailgating: someone holds the door open for a stranger because it would be rude not to let them through. And just like that, the person is inside the secured area.
None of these scenarios requires technical expertise. It requires planning, patience and a workforce that is not prepared. Be honest: do your employees have a clear idea today of what a CEO fraud email looks like? Do they know what to do when someone on the phone asks for remote access?
What ISO 27001 actually requires
ISO/IEC 27001:2022 Annex A, control 6.3 (Information security awareness, education and training) is not an optional recommendation. The standard requires that all employees and relevant external parties receive appropriate awareness and training, updated regularly, tailored to their role and to the organisation's relevant policies.
That sounds like bureaucracy. In audit practice it is more concrete. I do not check whether a training programme exists. I check whether it works. The questions then are: what content was delivered, when, for whom? Are there records? Is effectiveness reviewed, and if so, how? Is the programme adjusted when the threat landscape changes? A one-off annual PDF that every employee clicks through and marks as understood does not pass this check. It satisfies the form, but not the purpose of the control.
Anyone pursuing ISO 27001 certification, or who already holds it, has to keep this evidence properly. Anyone not planning to certify still benefits: a documented, effective awareness programme is, in the event of a loss, an argument towards the cyber insurer and senior management. It shows that the duty of care was taken seriously.
What really works. And what does not
The one thing that demonstrably does not work is the annual marathon training: once a year, two hours of PowerPoint, a quiz at the end, done until next year. People forget. Six months after the training, the impact is close to zero. Phishing clicks happen anyway.
- Regular short prompts instead of an annual marathon: five minutes in a team meeting achieve more than two hours every twelve months.
- Simulated phishing tests with immediate, non-punitive feedback: whoever clicks the test link gets an explanation straight away, not a reprimand. The learning happens in the moment, not three days later in a report.
- Clear, simple rules of action: not ten pages of policy, but three sentences. Call before you change bank details. Never click links in unexpected emails. Report any suspicion immediately.
- Reporting channels with no barrier to entry: if employees fear that a report will raise questions about their own competence, they will not report. The reporting culture decides how big the damage becomes.
- Leadership as an example, not an exception: if senior management exempts itself from the phishing test, the message is clear: this is not really important here.
An employee who reports a phishing attempt immediately is more valuable than one who clicks it away out of embarrassment and stays silent.
The reporting chain is the real foundation
The most expensive mistake after a social engineering attack is silence. Someone clicks a phishing link, notices it, and says nothing: out of embarrassment, out of fear of consequences, because they hope nothing further will happen. Hours later, the attacker is deep inside the network. The damage that builds up during those hours is the real attack.
An effective response depends on reporting being seen as the right thing to do, not as the admission of a mistake. Whoever reports immediately is not a problem. Whoever stays silent out of fear becomes one. That sounds simple. But it depends on the response to a report being grateful and constructive, not punitive. Once the message is circulating that a click on a phishing test earns you a talking-to, no one will report the next real incident. That is the opposite of security.
So define a simple, clear reporting channel: one number, one email address, one fixed point of contact. And make it known. Not in the handbook nobody reads. In the team meeting, on the poster next to the printer, in the signature of IT communications. Reporting must be easier than staying silent.
Three steps you can take this week
You do not need a large programme to get started. These three things take hardly any time and can be implemented immediately:
- Show your employees a concrete example today: a real phishing email from the news, or a demo you have rebuilt yourself. Not as theory, but as an image.
- Define a reporting channel that everyone can reach, and communicate it in the next team meeting. Three sentences are enough.
- Run a simulated phishing test. There are free tools for this, for example GoPhish. Review the results together, without names, without blame, with a learning effect.
The most important thing is not the tool. It is the conversation. Questions like this should be normal: does this look suspicious to you? Not awkward, not paranoid, but professional. Information security does not start with the firewall. It starts with someone speaking up.
Primary sources
Frequently asked questions
What is social engineering?+
Social engineering describes attacks in which perpetrators manipulate people rather than technology in order to obtain credentials, money or confidential information. Typical methods: phishing emails, phone calls under a false identity (vishing), USB drops or CEO fraud. It requires no technical knowledge, only a credible story.
What does ISO 27001 require on security awareness?+
ISO/IEC 27001:2022 Annex A, control 6.3 requires that all employees and relevant external parties receive appropriate awareness and training, regularly and tailored to their role. Auditors check not only that a programme exists, but that its effectiveness is demonstrated.
How do I recognise a phishing email?+
Typical signs: an unexpected request to enter a password or make a payment, a deviating sender domain (often just one letter different), unusual urgency, links that reveal a different address on hover than the one announced, and poor language or formatting. When in doubt: call the sender directly, never click the link.
What should you do if an employee has clicked on a phishing email?+
Report immediately, do not stay silent. Then: change the affected credentials at once, inform the IT department, and disconnect the machine from the network if necessary. The earlier the report, the smaller the damage. The most common and most expensive reaction is silence out of embarrassment: that hands the attacker valuable hours.
Is security awareness training mandatory?+
For ISO/IEC 27001 it is a documented, auditable requirement (Annex A.6.3). Independently of that, GDPR Art. 32 requires appropriate technical and organisational measures. Security awareness training is one of them. In the event of a loss, supervisory authorities and cyber insurers check whether an organisation has met its duty of care.
Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor & Senior Lead Implementer · ISO/IEC 27001 Lead Auditor & Lead Implementer (PECB)
Last updated: 16 July 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.
Sources & further reading
Questions about your own case?
In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act, honestly and without a sales pitch.