Social engineering is the practice of exploiting human psychology and manipulating people to gain access to systems, data, or a physical location. This term might be newer, but the art of the scam has been around for much longer.
What Is Social Engineering?
Social engineering can occur in two ways: physical or cyber. Physical social engineering could be gaining access to a building using a card or a code, wearing clothing or uniforms that could seem like the person is an employee, or someone using public information to gain physical access. A common example is someone posing as a phone repairperson who surreptitiously enters a building and ultimately gains access to secure information. Cyber social engineering can be criminals gaining access to passwords, logins, email addresses, phone numbers, or social media accounts. Cybercriminals could send someone at your firm an email saying they are new to the organization and need access to certain files. If the proper protocols are not in place, this person can use public information to create a customized phishing tactic.
Social engineering is not something that appears overnight. Most take weeks or months to plan. Examples of different tactics include:
- The cybercriminal may call your firm multiple times and talk to several people, ascertaining certain information or sending simple emails extracting specific information
- The cybercriminal may send an email asking to get cash out of their country into a safe bank and are offering a portion in return
- A form of spoofing where the email looks like it comes from your CEO asking for payment
- Cybercriminals trying the “victim” method, which means they would call your company saying they are an employee and are having issues logging into their computer, for example
- Cybercriminals act like they are in charge, posing as someone in power and claiming they should have access to certain restricted places. Authoritative tones and pressure can make employees do or say things they should be questioning
How to Prepare Your Organization
The best ways your firm can prepare and prevent a social engineering attack is twofold: education of your employees and layers of technological defenses to detect and respond to attacks. Everyone needs to be aware that social engineering exists and become familiar with the most common tactics associated with each.
The following items are considered best practice in preparing your employees:
- Security awareness and training
You can never have enough training when it comes to cybersecurity. Annual reviews and courses are a great way to keep employees informed of the current trends. In addition, providing up-to-date news and information on “breaking” areas of security attacks should be part of your internal communication plan.
- Review existing policies, procedures, and protocols
Making sure your security policies are current is vital to protecting you and your clients’ assets. Technology is consistently changing, so a policy from 2018 may no longer be applicable to today’s standards. An annual review of how you will handle an attack should be part of your process because you do not want to be scrambling once your firm is attacked. Also, separation of duties and other protections may be compromised at some point by insider threats, so those risk reviews are a good way to keep everyone in the know.
- Testing your incident management and reporting systems
Organizations vary in size. Being aware of the amount of time and resources you invest in your IT security can be a key element to your businesses’ success. You should run through potential scenarios with executives and key personnel and look for any holes that could be vulnerable on a consistent basis.