Tech Talk: Social Engineering

Cybersecurity is one of the top concerns of the business community, and while much attention is on the technical solutions like firewalls, antivirus software, and network vulnerability scanning, most organizations are ignoring the threat posed by social engineering. Yet social engineering is the biggest cybersecurity threat your company faces.

Social Engineering: The psychological manipulation of a person in an effort to trick them into revealing information.

Social engineering can take many forms. A simple example of social engineering is when an attacker dressed as a building maintenance worker with an official-looking badge walks into your office and does an “inspection” of the light fixtures. Along the way, they view any documents left out in the open and note any logins and passwords on sticky notes stuck to monitors. Another example is when an attacker calls your employee posing as a member of your accounting team and asks for bank account information. While these are relatively unsophisticated examples, they are highly effective and still regularly used today.

Social engineering attacks are incredibly easy to perpetrate thanks to the wealth of information available online. An attacker can get your organization’s reporting structure and obtain detailed information about your executives, including names work and education histories and hobbies. The attacker can then use this information to pose as an executive, either digitally via email, in person or on the phone to trick a subordinate into giving away valuable information.

There are two things you can do to prevent your staff from falling prey to social engineering attacks:

1. Education
You need an employee education program that trains employees how to recognize and respond to social engineering attacks. Because the attacks are continually changing, your training program should be updated and delivered regularly, at a minimum once a quarter. We also provide clients with a testing service where we send emails or call employees and track who falls for the attack. We can then provide specific feedback to those employees to help them understand which ploy was used and how to recognize it in the future.

2. Policies and Procedures
Your company should have clearly written and broadly communicated policies and procedures that govern the release of any confidential information. If an employee receives an email from the CFO asking for employee W-2’s, there should be a procedure for that employee to verify the request before releasing the information. If an employee gets a call from I.T. asking for their username and password, that employee should have a precise procedure for confirming that request is legitimate.

While hackers, viruses, and malware will continue to be a threat, your most significant security risk is the employees in your organization. However, a robust training program and easy to understand policies and procedures can minimize the risk.

If you need help setting up a training program or building your cybersecurity policies and procedures, contact us. We can help!