One of the most fascinating aspects of computer security is the growing interest in social engineering - "head hacking" rather than computer hacking - a topic certain to become even more important in 2004.

In one way, all computer hacking is about the human factor. Hackers succeed in hacking not just by exploiting weaknesses in computers, but also the shortcomings in the ways that those computers are managed or applications are developed.

But social engineering is slightly more than this. In head hacking, the attacker deliberately tries to fool an individual into allowing access to their computer system. Most obviously, they may do this by phoning the helpdesk and asking for assistance, pretending to be a panicking employee or a senior manager demanding access to a remote server. Clever social engineers can be surprisingly persuasive in these attempts and surprisingly persistent, phoning repeatedly to helpdesk staff over long periods of time. Moreover, even the smallest snippet of information accidentally revealed - say, that a PIN for remote access is six rather than four characters long - can be of enormous assistance to an intruder struggling with an unfamiliar and otherwise well-protected computer system.

In recent months, there have been a spate of more sophisticated measures, the most widely publicised being the attempt to infect computers with Trojan horse programs by means of email attachments that appeared to have been sent from trusted organisations - the most famous of which was the Bank of England.

This is a social engineering trick that is broadly similar to the email worms such as I Love You, which attempt to persuade recipients to open them, and more recent worms that transmitted themselves to users within victims' address books - the assumption being that even the most outre email apparently from someone whom the recipient knows might well be opened.

Hackers have many other, even more sophisticated techniques that can be applied. For example, in researching the potential vulnerabilities of a targeted organisation, hackers will often encounter a lot of information about the personal interests and hobbies - even the foibles - of certain employees. These people then become the target for focused attempts at subversion - for example, by persuading them that the hacker shares their interests. Over a period of time - and these sophisticated hackers can be extraordinarily patient - an employee can come to trust the hacker as a friend, and then either deliberately or accidentally reveal information of interest to them.

Protecting an organisation's information assets from such an insidious form of intrusion can be frustratingly difficult. After all, most information security measures are designed to block intruders, rather than protect insiders from being subverted and inadvertently revealing information.

The answer is to educate users about the risks and to adequately monitor both insiders and outsiders. It won't be easy, but companies simply cannot afford to ignore this form of attack.