All employees within an organization are potential targets for social engineering attacks, regardless of their position or level of access to sensitive information.
The statement is correct because social engineering attacks are designed to exploit human psychology rather than system vulnerabilities, and any employee may provide a potential entry point into an organization's secure environment. Attackers often target individuals who may seem less significant within an organization, as they may have fewer security protocols in place or may be less suspicious of unusual requests.