What is social engineering? It’s the art of manipulation that relies heavily on human interaction and psychology to trick people into revealing sensitive information about themselves or others. Social engineering works to exploit the human inclination to trust others, and for that reason, it’s one of the most dangerous and murky threats facing organizations today. Think about it—why waste time trying to crack a password that could take hours or days, when you could get someone at the company to hand it to you in minutes?
You are only as strong as your weakest link. And typically, the weakest link isn’t your firewall or alarm system, but humans. All the technical protection in the world can’t protect you if an employee gives the keys to the kingdom away.
There are so many stories of people or companies tricked into giving up information by deceptively simple methods, that it can quickly become overwhelming. How can you protect your company from social engineers and attackers who take advantage of these methods?
For a company, one of the best ways to combat potential scammers is to educate employees on standard policies and procedures, and emphasize the importance of awareness. Know what phishing, baiting and pretexting are, and learn to recognize the signs of these techniques.
If an attacker sends an email saying your anti-virus program has expired and you should download the new file right away, do you know what your company’s real anti-virus software looks like? Who those requests would normally come from? Do you know the right person to ask if you are unsure what to do?
TV shows and movies that show the daring spy posing as a janitor, lost tourist, or debonair at a ball are examples of social engineering. Even if some of the Hollywood scenarios are a little more far-fetched, they can still offer lessons. No matter how ridiculous the stunt is that the spy is pulling off, he always has the confidence to do it, and that’s what is important to note. Confidence is key.
Social engineers are very suave, smooth-talking people. They may assume an authoritative tone and claim they are acting on behalf of corporate management to demand a password reset or other information. Again, this is where company security training is beneficial. If employees are aware of who is actually authorized to make such requests and how those procedures should be handled, it is easier to detect a fraudulent request. Confident employees who are comfortable in their knowledge of company procedures have just thwarted a major tool for social engineers.
Awareness of your surroundings is key, too. The character Mad Eye Moody from Harry Potter has it right: “Constant vigilance, Harry, constant vigilance!” People are always trying to access your information. Hours of operation are all day, every day. “Whereas the normal IT Director goes home at 5 or 6 p.m., the hacker will work 24 hours a day to accomplish his/her goal,” according to social-engineer.org. It’s important to remember that there are people who will stop at nothing to get your personal information. Make a note of strangers you see entering the building, and while you might be called rude, don’t hold the door open for anyone. Tailgating is a popular method for hackers (or anyone) to enter a normally locked building, and once inside, they can make their way about without worry. Don’t be afraid to speak up if you see suspicious activity in and around your building.
Training your employees to recognize signs of a non-technical attack is the best way to protect against potential threats from others. If you have a deep level of knowledge about company policies and procedures, or know how to detect signs of social engineering, share that with your employees! This kind of information sharing is good. If you are in charge of company security and aren’t confident your skills are up to speed, hire a consultant who is, and learn from them alongside your coworkers. Hackers are everywhere, and while that thought sounds scary, it’s very possible to protect yourself by remaining aware and vigilant about your surroundings.