Social engineering is an important part of any information security system and requires a multi-layered approach that includes staff training and technical management.
This blog describes five steps your organization can take to mitigate the risk of social engineering attacks.
1. Build a positive safety culture
Before we move on, let’s get rid of the useless myths.
Social engineering attacks exploit misguided trust, not stupidity. Someone is fooling you or your employees not because you or your employees are stupid, but because they are good at manipulating. Your corporate culture must reflect this fact.
We are all potential victims and the risk only increases as social engineering campaigns become more sophisticated.
It is important for employees to recognize their security responsibilities and report potential phishing attacks, rather than talking and thinking they will get into trouble. This saves valuable time when responding to an incident.
2. Know the psychological trigger
Most people know that they can’t win a lottery that they didn’t win. The Nigerian prince cannot share his fortune if he gives us the details of the bank. He says that written emails claiming that he is from someone at HMRC are not.
However, recognizing a social engineering attack is not as easy as identifying an apparently suspicious email.
There are different forms of social engineering, where attackers exploit different psychological triggers to overcome people’s natural defenses.
In addition to building trust and collecting information for later use, they may also do the following:
By creating a feeling of guilt, it abuses the victim’s tendency towards quid proqua. Also
Rely on people’s conditioned reaction to authority. Learning to recognise such tactics is essential.
3. Train your staff
It`s also important to train your staff so that they:
Understand the consequences of social engineering attacks;
Are suspicious of unsolicited communications and unknown people;
Check whether emails genuinely come from their stated recipient (doublecheck senders` names and look out for giveaways such as spelling errors and other illiteracies);
Don`t open suspicious email attachments;
Beware of tailgating (just because someone is wearing a tabard and holding a clipboard doesn`t mean you should let them into your building);
Aren`t rushed (attackers create a sense of urgency to pressure you);
Think before providing sensitive information (no one legitimate will ever ask you for your password, for instance);
Check websites` security before submitting information, even if they seem legitimate (avoid websites that use HTTP);
Pay attention to URLs, and `typosquatting` (sites that look genuine but whose web addresses are subtly different from the legitimate site they`re imitating); and
Beware of clickjacking (be suspicious of everything you click on and let your mouse hover over links to check where they`re pointing to).
4. Test the effectiveness of your training
In addition to training employees, it is also important to ensure the effectiveness of training tools.
The simulated phishing attack provides a good idea of employee vulnerability to phishing emails.
5. Implementation of appropriate technical measures
Staff training is important, but not all. You also need to implement wider information security measures so that if attackers do manage to trick users, it`s difficult for them to get much further.
Among other things, you should consider:
Using firewalls, antivirus, antimalware, whitelisting and spam filters to keep malicious traffic to a minimum;
Applying patches and keeping your systems up to date so that you are not vulnerable to known software and network vulnerabilities;
Using rigid data classification models and privileged access management policies to secure, and control who has access to, sensitive data;
Keeping records of who has access to what information, and who is therefore most at risk; and
Implementing a policy of using strong, unique passwords.