Protecting against the art of exploiting human nature
‘Social engineering’ is taking advantage of human weaknesses to gain access to secure items. These can include data, physical products and other property sensitive to your business. It’s important to do all you can to train your main vulnerability – your people.
While technology hackers exploit technical vulnerabilities to break into computer systems and steal data, social engineering preys on human vulnerabilities to achieve the same result.
When it comes to technical vulnerabilities, computers are computers. They don’t have emotions or personalities. Humans have many ever-changing vulnerabilities, which can’t be protected by a strong password – the responsibility lies with users to not share private information.
Protecting against social engineering doesn’t have to weigh your business down. Think about security like an onion – there are layers. The more layers, the harder it will be to break through. No system is ever 100% secure, but you can aim to add as many layers as possible. This is the approach we take to help protect you from social engineering.
Building a strong defence
Training and awareness, along with policies and processes, will help you build security and protect against attacks on human vulnerabilities. Equipping your employees with the right training can make or break an attacker’s mission. Common signs of an attack are a good place to start. Look for things like:
- Impersonation – often an attacker will pretend to be someone else to get things that would otherwise be out-of-bounds.
- Authority – this is commonly used alongside impersonation. Attackers will pretend to be in a position of authority. This leads the staff member to rush things along without asking questions.
- Prizes – a classic scam route, the attacker will offer money or a good deal. As with most things, if it sounds too good to be true – it probably is.
Training like this is important to help you and your employees recognise an attack. There are three main vectors where attacks occur:
- Phone – an attacker can call and use a combination of impersonation and authority to gain access to sensitive information or services.
- In-office or face to face – the attacker can pretend to be someone else to gain access to the building where they can steal equipment or infect computers with malware.
- Online – phishing emails, scam websites or fake social media accounts – online is an attacker’s paradise.
A common example is the ‘Microsoft help desk’ phone call or email. Scams like this aren’t easy to spot. You and your staff need to be aware of how attackers take advantage. IT Governance says these are ways you might be able to spot a phishing email:
- Suspicious links or email addresses – always carefully check that links and email addresses match with who they claim to be – there may be only a very small difference between the real and the fake.
- Time limits – the email can have an expiry date or ask you to respond by a certain time. This is a red flag – attackers want you to feel pressured to complete an action.
- Rewards – prizes and money are often offered as bait in these emails.
- Suspicious attachments – do not open an attachment from anyone you don’t know or trust. These can contain malware or allow the attacker access into your computer.
How processes add layers of protection
Processes and policies unique to your business will help you add more layers of protection. These extra layers give something for your staff to fall back on when they’re not sure if a contact is legitimate. Common processes and policies are:
- Verifying identity – verify who someone is before giving out sensitive information or completing a request. This applies to both customers asking for help and a business requesting information such as a bank password.
- Checking authority – make sure security applies to everyone including yourself and senior staff — this way there is no shortcut choice.
- Applying consistent rules – be consistent with rules and standards when dealing with someone online, face to face or over the phone.
Keeping on top of it
While there is no single solution to social engineering, there are a few ways to keep on top of it.
Make time for training
Reserve time in regular company meetings to discuss security. This doubles as training and education time.
Encourage people to speak up
It’s important to encourage a workplace culture where employees feel comfortable speaking up and having conversations about security. This helps you understand your business position and iron out any problems.
Create attack simulations
Simulations of an attack can be beneficial for your staff. These can include mock phishing emails, scam calls or testing of physical building security. This could be completed in-house or by a specialist company.
Keep on top of the technical
As a final step to maximising your protection against social engineering, don’t let your grip on technical and in-person security slip. Processes like two-factor authentication, network security, workplace security and password managers are still robust layers inside your onion to protect your business and your customers.
Learn more about First AML’s security at firstaml.com/security