Why is social engineering one of the most widely discussed topics in security? Because it’s one of the most effective offensive tactics, and an inherently human discussion. It’s a concept that is easily understood because it largely plays on emotion. Whether it be fear, compassion, or anger that is used, we can fundamentally understand why they’re effective. However, training programs are not geared toward these elements. We’ve pulled together some tips to help enhance your social engineering training to pragmatically and effectively protect your most valuable assets.
What is Social Engineering?
At its core, social engineering is manipulating a person leading to unauthorized access. It can be done via email, social media, phone, or in person. The most obvious way is by attempting to get account credentials so they can move laterally inside the organization, with the ultimate goal gaining admin rights. However, unauthorized access comes in many softer forms too: data loss comes in many shapes and sizes.
How to Defend Against Social Engineering
Employee awareness is key. They are your cyber front lines, and they can either be on your team or the easiest way in. Since anyone at the company can be a target for social engineering, running a review of the maturity and awareness levels of the organization is a great first step. If you don’t have a training specific to this in place, it’s a great addition to any security awareness program.
Once your employees are aware of the threat, testing them is an important part of the journey. These need to be ongoing, updated, and using different attack vectors to get a realistic view of the vulnerability landscape specific to social engineering.
Nothing speaks louder than proof. Showing your organization examples from your own organization’s assessments are a big wakeup call to key stakeholders. Make sure there’s a risk level (preferably with a dollar amount) attached to drive the point home.
Here’s where third parties are helpful. Suggesting relevant countermeasures for the information security teams, the physical security managers, and the applicable organizational units in charge of sensitive processes (such as the customer’s identification) can help reinforce the point. Just like with any feedback – offering a solution rather than just pointing out the problem is much more effective.
People learn in different ways, so provide different methods of learning in the training, including visuals. Provide actual updated cyber security awareness materials that can be used to greatly enhance employee’s overall awareness. These usually consist of pictures, video files, audio files and social engineering drill reports. Being able to see it in a real-life scenario can help them understand the full scope of the threat.
Bring in the Experts
Hearing accounts from the people who have done social engineering not only helps keep people engaged, it also helps provide the attacker’s mindset to the security teams. This allows a different perspective to the current security strategy – when you understand the attacker’s point of view, you can defend against them more effectively.