Best Practices for Minimizing the Impact of Social Engineering on Your Organization

June 26th, 2018

When many people think of cybercrime, they think of a bearded guy tapping away at his keyboard in a dark room, searching for vulnerabilities in the network that can be exploited. While exploits are a significant threat, the reality is that many attacks happen in smoother and more subtle ways. Why spend days trying to get in the backdoor when an attacker can ask nicely to be let in through the front? This is the essence of social engineering.

A social engineer uses many tactics to manipulate victims into giving up whatever information they need. Imagine someone with a police uniform knocks on your door and asks for a word. They look authoritative, so you invite them in to sit down. They spend five minutes discussing crime in the neighborhood, and on the way out, they secretly swipe the spare key. A few days later, you return home to discover that all your valuables are gone.

In this case, the social engineer tricked their way into the home by using a police uniform to appear authoritative. Most people won’t think to turn down a police officer’s request or ask for further identification. The attacker took advantage of this to gain access to the house, where they could get what they wanted, the spare key.

The example used above is social engineering in its physical form, but many attacks get the information they need through deception over email or the phone. Estimates for the rates of social engineering depend on the organization that collected the data. According to F-Secure, 52% of external exploits come from social engineering, while Social Engineer, INC claim that it is used in more than 66% of attacks. PhishMe’s 2016 report shows that 91% of attacks that resulted in data breaches were due to spear-phishing, a type of social engineering where attacks are tailored to target specific individuals.

Although the numbers may vary, it doesn’t change the most important takeaway: social engineering is the number one security threat to your business.

How Does Social Engineering Work?

You might think you would never give an attacker a password or privileged information. The problem is that attackers don’t carry around signs that declare their intentions, and they often come up with compelling stories to mislead you. Some of the key techniques that they use include:

Authority

Like in our example above, using a position of authority is an excellent way for attackers to get people to do what they want. You may not be willing to go against company policy if a customer or a coworker asks you to, but what if the direction comes from your “boss” or the “authorities.” By claiming to hold some position over you, attackers can easily leverage that power against you and pressure you to divulge something you usually wouldn’t.

Reciprocation

When someone does something for us, we usually have a strong urge to reciprocate. An attacker may bring you lunch or perform another nice gesture. Before they leave, they ask for just one little favor, to quickly use your computer to check their email. You know it goes against company policy, but it’s just something small, and you would feel guilty if you turned them down. You let them use your computer, and they quickly finish, thank you, and then head off. Everything seems fine, but the next day you discover that the company has been breached, and it’s all your fault just for trying to return the favor.

Using an Emotional Story

It’s not uncommon for an attacker to play at one of our biggest weaknesses, our emotions. They might come up with a heart-wrenching story about their daughter’s cancer treatment and the stress and hardship they are under. The story wears you out emotionally, and you can’t help but feel sympathy for the attacker. They ask you for something minor, and you feel compelled to do it, even if it goes against company policy. Before you know it, the company has been hacked, and yep, it’s your fault, simply for being empathetic.

These are just some of the many ways social engineering can be used against us. Still, they demonstrate how easy it is to manipulate people into violating official policies.

How to Minimize the Impacts of Social Engineering

Social engineering is a pervasive and complex problem to combat, and there is no way that you can make your business bulletproof. The simple fact is that we are all human, we all make mistakes, and we can all be misled. This doesn’t mean we should give up hope because having the proper processes in place can significantly decrease the likelihood of a successful social engineering attack. Some of the key tactics that your company can use to manage the risks include:

Having an Effective Cybersecurity Policy in Place

It all starts with having clear procedures that ensure your points of weakness are covered.

Regarding social engineering, some of the most critical areas that need to be addressed are how and when different classes of information should be communicated.

The most effective policies will vary from company to company and must strike the right balance between security and convenience. Employees shouldn’t be giving out the maiden name of the CEO’s mother to anyone who tweets at them, nor should things go too far, like requiring employees to get managerial consent before using an adverb.

The policy should define which information is sensitive and how sensitive it is. There need to be clear rules for how and when each of these classes of information is distributed and whether they need approval from higher-ups before they are sent.

Another key aspect will be the email usage policy because many attacks are initiated through email. The email policy needs to include clear rules, such as not clicking on random links or attachments and not trusting unsolicited contacts.

Employees need to ask the IT department for confirmation whenever there is any doubt. It is much better to be cautious than to let an attacker sneak in accidentally. While you don’t want to foster tinfoil-hat company culture, a little paranoia is a good thing regarding security.

Training, Training, and More Training

Training is essential to reinforce these policies, and it has to be ongoing to ensure that employees continue to abide by them. Let’s be honest, cybersecurity policies can be tedious for your average employee, particularly if they don’t have much technological background.

Cybersecurity is the kind of thing that is hardly noticed when everything is going smoothly. Unless there has been a major catastrophe in recent times, security concerns can fall to the back of an employee’s mind. This can lead to standards slipping, which is when things tend to go wrong.

The only way that you can prevent this from happening is by having regular and intensive training. Training against social engineering can take many forms, and it may be best to use a range of them to keep your employees engaged. These can include simple presentations on the dangers and standard tactics, role-playing some everyday situations, email reminders, and more.

Testing

Testing is one of the best ways to demonstrate social engineering risks to your employees. You can hire companies that will set up email phishing expeditions or mystery callers to try and extract as much information as possible from your employees. You may be surprised by how much they are willing to give out.

The benefit of doing these tests is that they can show the company’s weak points with little at stake. It is much better to do some testing then call a meeting with your employees to discuss which parts of the policy need to be addressed. The shock of how easy it was for the testers to gather information can be a great wake-up call that helps to reinforce your cybersecurity policies. It is much better to find your company’s weak points in a test than after a devastating attack.

Keeping Your Business Safe from Social Engineering

At LuxSci, we do our best to ensure that your business is secure from a technical standpoint. Our services, such as encrypted email and HIPAA-compliant web hosting, can protect your business from various attacks, but unfortunately, these can’t prevent one of your employees from handing over their login credentials.

If you want your workforce to be as secure as LuxSci’s services, you must ensure your company has appropriate social engineering awareness, policies, training, and testing in place. Being proactive can significantly reduce the chances of suffering a costly attack.

Have questions about how to best keep your workforce secure? Contact Us