In a one page double space microsoft word document tell me how this could have been prevented and what changes need to take place to see that this social engineering attack does succeed again:

Suzy, a clinic manager, lists her workplace on her personal Facebook page. She hasn't enabled privacy features, so her personal profile is visible to the public. She hasn't given a second thought to the connection between her public profile and her clinic.

George is a social engineer. He knows that medical personally identifiable information will fetch a fantastic price. So$,$ George is on the hunt for a healthcare employee to exploit. He sees on Suzy's profile that she works at a medical clinic. He also sees Suzy's post that she's on vacation in the Bahamas.

George calls the clinic, and Patti answers. He asks to speak to Suzy. Patti replies that she is away from the clinic and asks if she can be of any help. George laughs, pretending he forgot, and tells Patti he's jealous that Suzy's in the Bahamas while they're stuck at work. His "insider" information and familiar way of speaking causes Patti to trust George.

Now that George has Patti's trust, he tells her that he's been working with Suzy on quoting a new server for the clinic. He doesn't know if they have a server or if they use an electronic medical record $($EMR$).$ However, if they don't, he can spin a story about how Suzy is looking to get a server to support an EMR. Social engineers are con artists. They can spin a story until they get what they want or hit a roadblock and move on to an easier target.

Patti tells George they have a server in the office. He asks her to grab some information that he forgot to get from Suzy. Patti places George on hold and collects the information he needs to remotely access the server. Now that he has access to the server, George can infect it with malware and steal the clinic's information.