Best Practices for Minimizing the Impact of Social Engineering on Your Organization
When many people think of cybercrime, they think of a bearded guy tapping away at his keyboard in a dark room, searching for vulnerabilities in the network that can be exploited. While exploits are a big threat, the reality is that many attacks happen in smoother and more subtle ways. Why spend days trying to get in the backdoor, when you can just ask nicely to be let in through the front? This is the essence of social engineering.
A social engineer uses a wide range of tactics to manipulate their victims into giving up whatever information they need. Imagine that someone with a police uniform knocks on your door and asks to have a word. They look authoritative, so you invite them in to sit down. They spend five minutes discussing crime in the neighborhood and on the way out, they secretly swipe the spare key. A few days later, you come back home to discover that all of your valuables are gone.
In this case, the social engineer tricked their way into the home by using the authority of the police uniform, which many people respect or even fear. Most people won’t think to turn down a police officer’s requests, or to ask for further identification. The attacker took advantage of this to gain access to the house, where they could get what they wanted, the spare key.
The example used above is social engineering in its most physical form, but many attacks get the information they need through deception over email or the phone. Estimates for the rates of social engineering depend on the organization that collected the data. According to F-Secure, 52% of external exploits come from social engineering, while Social Engineer, INC claim that it is used in more than 66% of attacks. PhishMe’s 2016 report shows that 91% of attacks that resulted in data breaches were due to spear-phishing, a type of social engineering where attacks are tailored to target specific individuals.
Although the numbers may vary, it doesn’t change the most important takeaway: social engineering is the number one security threat to your business.
How Does Social Engineering Work?
You might like to think that you would never give out a password or privileged information to an attacker. The problem is that attackers don’t carry around signs that declare their intentions, and they often come up with very convincing stories to mislead you. Some of the key techniques that they use include:
Just like in our policeman example from above, using a position of authority is an excellent way for attackers to get people to do what they want. You may not be willing to go against company policy if a customer or a coworker asks you to, but what if the direction comes from your “boss” or the “authorities”. By claiming to hold some kind of position over you, attackers can easily leverage that power against you and pressure you to divulge something that your normally wouldn’t.
When someone does something for us, we normally have a strong urge to reciprocate. An attacker may bring you lunch or perform another nice gesture. Before they leave, they ask for just one little favor, to quickly use your computer to check their email. You know that it goes against company policy, but its just something small and you would feel guilty if you turned them down. You let them use your computer, they quickly finish, thank you and then head off. Everything seems fine, but then the next day you discover that the company has been breached, and it’s all your fault, just for trying to return the favor.
Using an Emotional Story
It’s not uncommon for an attacker to play at one of our biggest weaknesses, our emotions. They might come up with a heart-wrenching story about their daughter’s cancer treatment and all of the stress and hardship they are under. The story wears you out emotionally and you can’t help but feel sympathy for the attacker. They ask for you for something little, and you feel compelled to do it, even if it goes against company policy. Before you know it, the company has been hacked, and yep, it’s your fault, simply for being empathetic.
These are just some of the many ways that social engineering can be used against us, but they demonstrate just how easily it is to manipulate people into violating official policies.
How to Minimize the Impacts of Social Engineering
Social engineering is a pervasive and difficult problem to combat, and there is no way that you can make your business bulletproof. The simple fact is that we are all human, we all make mistakes and we can all be mislead. This doesn’t mean that we should give up hope, because having the proper processes in place can significantly decrease the likelihood of a successful social engineering attack. Some of the key tactics that your company can use to manage the risks include:
Having an Effective Cyber Security Policy in Place
It all starts with having clear procedures in place that make sure your points of weakness are covered.
When it comes to social engineering, some of the most important areas that need to be addressed are how and when different classes of information should be communicated.
The most effective policies will vary from company to company and need to strike the right balance between security and convenience. Employees shouldn’t be giving out the maiden name of the CEO’s mother to anyone who tweets at them, nor should things go too far the other way, like requiring employees to get managerial consent before they can use an adverb.
The policy should define which information is sensitive, and how sensitive it is. There need to be clear rules for how and when each of these classes of information are distributed, and whether they need approval from higher-ups before they are sent.
Another key aspect will be the email usage policy, because a significant amount of attacks are initiated through email. The email policy needs to include clear rules, such as not clicking on random links or attachments that weren’t asked for, and not to trust unsolicited contacts.
Whenever there is any doubt, employees need to ask the IT department for confirmation. It is much better to be cautious than to accidentally let an attacker sneak in. While you don’t want to foster a tinfoil-hat company culture, a little paranoia is a good thing when it comes to security.
Training, Training and More Training
Training is an important part of reinforcing these policies, and it has to be ongoing in order to make sure that employees continue to abide by them. Let’s be honest, cyber security policies can be boring for your average employee, particularly if they don’t have much of a technological background.
Cyber security is the kind of thing that is hardly noticed when everything is going smoothly. Unless there has been a major catastrophe in recent times, security concerns can fall to the back of an employee’s mind. This can lead to standards slipping, which is when things tend to go wrong.
The only way that you can prevent this from happening is by having regular and intensive training. Training against social engineering can take many forms, and it may be best to use a range of them in order to keep your employees engaged. These can include simple presentations on the dangers and common tactics, role playing some of the common situations, email updates and more.
One of the best ways to demonstrate the risks of social engineering to your employees is through testing. You can hire companies that will set up email phishing expeditions or mystery callers to try and extract as much information as possible from your employees. You may be surprised by how much they are willing to give out.
The benefit of doing these tests is that they can show the company’s weak points with relatively little at stake. It is much better to do some testing, then call a meeting with your employees to discuss which parts of the policy need to be addressed. The shock of how easy it was for the testers to gather information can be a great wake up call that helps to reinforce your cyber security policies. It is much better to find your company’s weak points in a test, than after a devastating attack.
Keeping Your Business Safe from Social Engineering
At LuxSci, we do our best to make sure that your business is secure from a technical standpoint. Our services such as encrypted email and HIPAA-compliant web hosting can protect your business from a range of different attacks, but unfortunately these can’t prevent one of your employees from handing over their log-in credentials.
If you want your workforce to be as secure as LuxSci’s services, then you need to make sure your company has appropriate social engineering awareness, policies, training and testing in place. By being proactive, you can significantly reduce the chances of suffering a costly attack.
Have questions about how to best keep your workforce secure? Contact Us