Social engineering may be the biggest threat organizations face today. Most modern breaches involve some form of social engineering, yet technology still does little to protect against these types of attacks. Ironically, it is often the loyal employees who are willing to go the extra mile to fulfill their responsibilities that can compromise your organization’s digital safety and security. Ensnared in convincing social engineering tactics, some of these ideal employees could unknowingly become your weakest link.
There are three basic types of social engineering attack: face to face, over the phone and through email. Social engineering through email is by far the most common, and is often referred to as phishing or spear phishing. Social engineering through email is often referred to as phishing or spear phishing. The first line of defense for phishing and spear phishing attacks are good spam filters. While spam filters work most of the time, they can still be circumvented. Training employees about the risks of phishing and spear phasing attacks provides the best protection. This can be incorporated in mandatory training, through supplemental videos or by conducting a phishing simulation test. Either way the goal is the same. Training employees to be aware of the risks and recognize the warning signs of a fraudulent or manipulative email.
Social Engineering over the phone, while not as common as email, is still very prevalent and depending on the role of an employee this may actually be the highest risk. Employees who have a higher chance of being exposed to social engineering over the phone, such as call center staff, should undergo additional training. A strict protocol should be set for providing access to customer account information.
Social engineering in person is the least common form but should be treated very seriously. Criminals gaining access to servers, point of sale systems or document rooms can lead to large security breaches. Assuming the identity of a vendor or fellow employee are standard tactics used by social engineers. Maintaining secure points of entry and enforcing a security policy for visitors will help reduce the risk of social engineers gaining access to facilities.
Employees should be trained to recognize all forms of social engineering and special training and procedures should be put in place for those who are exposed to greater risk of certain threats. With adequate training, the risks of social engineering can be dramatically reduced.