According to Proofpoint’s 2018 report The Human Factor, as many as 95% of observed web-based attacks “incorporated social engineering to trick users into installing malware”.
This should come as no great surprise. As Microsoft explained in its latest (March 2018) Security Intelligence Report:
“As software vendors incorporate stronger security measures into their products, it is becoming more expensive for hackers to successfully penetrate software. By contrast, it is easier and less costly to trick a user into clicking a malicious link or opening a phishing email.”
Countering social engineering is an essential part of any information security regime, and requires a multi-layered approach that includes staff training as well as technical measures: your organisation must foster a culture of security as well as using technology to ensure attackers can do as little damage as possible if they are successful – which, with the number of attack vectors open to them, they inevitably will be.
If you want to find out more about the various types of attacks to beware of, including phishing, vishing, smishing, whaling, pharming and tabnabbing, read my blog: What is social engineering? The techniques to look out for.
1. Build a positive security culture
Before we go any further, we should dispel an unhelpful myth.
Social engineering attacks exploit misplaced trust, not stupidity. If someone fools you or your staff, it’s because they’re good at manipulation, not because you or your staff are stupid. Your corporate culture needs to reflect that fact.
We’re all potential victims, and as social engineering campaigns get more and more sophisticated, the risk is only going to increase.
It’s essential that your staff are aware of their security responsibilities and report potential phishing attacks as soon as possible, not think they shouldn’t say anything because they might get in trouble. This will save you valuable time when responding to an incident.
2. Learn the psychological triggers
Most people know that they can’t have won a lottery they didn’t enter, a Nigerian prince isn’t going to share his fortune if they just give him their bank details and they’re not getting a tax rebate, even if a badly spelled email purporting to be from someone from HMRC says otherwise.
However, recognising social engineering attacks isn’t always as easy as identifying obviously dubious emails.
Social engineering takes many guises and attackers exploit a number of psychological triggers to get past people’s natural defences. As well as developing trust and gathering intelligence that they can later use, they might:
- Create situations of false urgency and heightened emotion, such as fear, excitement and panic, to confuse their victims;
- Exploit the victim’s propensity for reciprocation by creating a sense of indebtedness; or
- Rely on people’s conditioned responses to authority.
Learning to recognise such tactics is essential.
3. Train your staff
It’s also important to train your staff so that they:
- Understand the consequences of social engineering attacks;
- Are suspicious of unsolicited communications and unknown people;
- Check whether emails genuinely come from their stated recipient (double-check senders’ names and look out for giveaways such as spelling errors and other illiteracies);
- Don’t open suspicious email attachments;
- Beware of tailgating (just because someone is wearing a tabard and holding a clipboard doesn’t mean you should let them into your building);
- Aren’t rushed (attackers create a sense of urgency to pressure you);
- Think before providing sensitive information (no one legitimate will ever ask you for your password, for instance);
- Check websites’ security before submitting information, even if they seem legitimate (avoid websites that use HTTP);
- Pay attention to URLs, and ‘typosquatting’ (sites that look genuine but whose web addresses are subtly different from the legitimate site they’re imitating); and
- Beware of clickjacking (be suspicious of everything you click on and let your mouse hover over links to check where they’re pointing to).
4. Test the effectiveness of the training
As well as training your staff, it’s important to test the effectiveness of your training measures.
Simulated phishing attacks will give you a good idea of your employees’ susceptibility to phishing emails.
5. Implement appropriate technical measures
Staff training is essential, but it’s not everything. You also need to implement wider information security measures so that if attackers do manage to trick users, it’s difficult for them to get much further.
Among other things, you should consider:
- Using firewalls, antivirus, anti-malware, whitelisting and spam filters to keep malicious traffic to a minimum;
- Applying patches and keeping your systems up to date so that you are not vulnerable to known software and network vulnerabilities;
- Using rigid data classification models and privileged access management policies to secure, and control who has access to, sensitive data;
- Keeping records of who has access to what information, and who is therefore most at risk; and
- Implementing a policy of using strong, unique passwords.
The information security standard ISO 27001, which sets out the requirements of a best-practice information security management system, provides a lot of essential guidance relating to the suggestions above – and much more besides. Annex A to ISO 27001 provides 114 security controls that any organisation can use to address the information security risks it faces, whether or not it opts to pursue certification to the Standard.
The responsibility for information security lies with every member of staff, and security practices need to be embedded in the working practices of the whole business in order to be effective.
Using regular staff awareness training to break users’ unconscious habits and increase their vigilance will reduce your organisation’s risk of attack.
GRC eLearning has a number of training courses to help increase staff awareness of the threat of social engineering attacks:
Phishing Staff Awareness E-learning Course
This course will help your staff identify and understand phishing scams, as well as explaining what could happen if they fall victim and how to mitigate the threat of an attack.
Phishing and Ransomware Human Patch E-learning Course
This ten-minute interactive e-learning course introduces phishing and ransomware to employees and explains what they need to be aware of to avoid falling victim to future incidents.
Information Security Staff Awareness E-learning Course
This interactive e-learning course helps employees learn about the most important elements of information security. It teaches them how to avoid becoming a security liability and provides basic knowledge of information security best practices to minimise preventable mistakes.
Information Security and ISO27001 Staff Awareness E-learning Course
Give your staff a better understanding of information security risks and ISO/IEC 27001:2013 compliance requirements to reduce your organisation’s exposure to security threats.