Social engineering is where Derren Brown and technology meet in the middle. This phenomenon stands out from other cyber threats in that it almost wholly relies on human manipulation, rather than malware or outright hacking.
In particular, social engineering is the art (though that’s a highly complimentary term for something so malicious) of manipulating people into giving up confidential information. It’s an age-old trick that somehow seems to keep catching people out – even those well-versed in technology. All it takes is a quick Google search and you will find that even large retailers, web service providers, and business corporations have fallen victim before.
What makes it difficult to combat is that the absence of any technical techniques leads to an absence of technical solutions. Your cloud security/building security/whatever security deployments simply won’t cut the mustard against weaselling social engineers. Instead, protection against social engineering depends almost entirely on education and training.
Staying ahead of the scam
The foundation of social engineering scams is exploiting human psychology. In particular, malicious actors might use social media, cloud applications, or email channels for their attack.
However, it is not limited to online communications; social engineers may also call up an unknowing member of the workforce via telephone, posing as an IT support person. Then, they will use this ruse to fool the employee into sharing their credentials.
So, what’s an enterprise to do? Firstly, you must adopt a verification culture. In particular, you must encourage staff to validate requests that seem a little out of the ordinary. Workers can do so by following up on any other communication channel. Realistically, there are few cases that are so urgent that they must get done within thirty seconds.
Furthermore, your organisation may also benefit from running regular workshops and simulations. At least this way, they are always on alert and remember to second guess themselves– in a good way!
Then, of course, there is the obvious: you should review your processes and identify any gaps where your security needs heightening. The crux of social engineering protection, however, is education, education, education. With nobody wanting ‘that person’ whose naïvety (for lack of a better term) led to a security breach, your staff will surely thank you.
If you’d like to learn more about phishing-style attacks, why not check out this article about whaling?