Tackling social engineering is essential part of any information security regime, and requires a multi-layered approach that includes staff training as well as technical measures.
In this blog, we look at five steps that your organisation can take to mitigate the risk of social engineering attacks.
1. Build a positive security culture
Before we go any further, we should dispel an unhelpful myth.
Social engineering attacks exploit misplaced trust, not stupidity. If someone fools you or your staff, it’s because they’re good at manipulation, not because you or your staff are stupid. Your corporate culture needs to reflect that fact.
We’re all potential victims, and as social engineering campaigns get increasingly sophisticated, the risk is only going to increase.
It’s essential that your staff are aware of their security responsibilities and report potential phishing attacks rather than think that saying something will get them in trouble. This will save you valuable time when responding to an incident.
2. Learn the psychological triggers
Most people know that they can’t have won a lottery they didn’t enter, a Nigerian prince isn’t going to share his fortune if they just give him their bank details and they’re not getting a tax rebate, even if a badly spelled email purporting to be from someone from HMRC says otherwise.
However, recognising social engineering attacks isn’t always as easy as identifying obviously dubious emails.
Social engineering takes many guises and attackers exploit a number of psychological triggers to get past people’s natural defences.
As well as developing trust and gathering intelligence that they can later use, they might:
- Create situations of false urgency and heightened emotion, such as fear, excitement and panic, to confuse their victims;
- Exploit the victim’s propensity for reciprocation by creating a sense of indebtedness; or
- Rely on people’s conditioned responses to authority.
Learning to recognise such tactics is essential.
3. Train your staff
It’s also important to train your staff so that they:
- Understand the consequences of social engineering attacks;
- Are suspicious of unsolicited communications and unknown people;
- Check whether emails genuinely come from their stated recipient (double-check senders’ names and look out for giveaways such as spelling errors and other illiteracies);
- Don’t open suspicious email attachments;
- Beware of tailgating (just because someone is wearing a tabard and holding a clipboard doesn’t mean you should let them into your building);
- Aren’t rushed (attackers create a sense of urgency to pressure you);
- Think before providing sensitive information (no one legitimate will ever ask you for your password, for instance);
- Check websites’ security before submitting information, even if they seem legitimate (avoid websites that use HTTP);
- Pay attention to URLs, and ‘typosquatting’ (sites that look genuine but whose web addresses are subtly different from the legitimate site they’re imitating); and
- Beware of clickjacking (be suspicious of everything you click on and let your mouse hover over links to check where they’re pointing to).
4. Test the effectiveness of the training
As well as training your staff, it’s important to test the effectiveness of your training measures.
Simulated phishing attacks will give you a good idea of your employees’ susceptibility to phishing emails.
5. Implement appropriate technical measures
Staff training is essential, but it’s not everything. You also need to implement wider information security measures so that if attackers do manage to trick users, it’s difficult for them to get much further.
Among other things, you should consider:
- Using firewalls, antivirus, anti-malware, whitelisting and spam filters to keep malicious traffic to a minimum;
- Applying patches and keeping your systems up to date so that you are not vulnerable to known software and network vulnerabilities;
- Using rigid data classification models and privileged access management policies to secure, and control who has access to, sensitive data;
- Keeping records of who has access to what information, and who is therefore most at risk; and
- Implementing a policy of using strong, unique passwords.
The information security standard ISO 27001, which sets out the requirements of a best-practice information security management system, provides a lot of essential guidance relating to the suggestions above – and much more besides.
Annex A to ISO 27001 provides 114 security controls that any organisation can use to address the information security risks it faces, whether or not it opts to pursue certification to the Standard.
Get started with e-learning solutions
The responsibility for information security lies with every member of staff, and security practices need to be embedded in the working practices of the whole business in order to be effective.
Using regular staff awareness training to break users’ unconscious habits and increase their vigilance will reduce your organisation’s risk of attack.
GRC eLearning has a number of training courses to help increase staff awareness of the threat of social engineering attacks.
Organisations looking to improve their ability to spot social engineering attacks should consider starting with our Phishing Staff Awareness E-learning Course.
The course is updated quarterly to contain the latest tricks that cyber criminals use and up-to-date guidance on how to spot the signs of a scam.
It also provides knowledge checks at the end of each section and a final assessment upon completion of the course. This ensures that staff understand the course content, and gives them clarity on anything they may have misunderstood.
The course addresses each of the points we’ve outlined in this article, so if you’re looking for an e-learning training provider, why not join the 800 organisations that are already using our courses?
A version of this blog was originally published on 31 August 2018.