
Coming To A Workplace Near You: Social-Engineering Attacks
What is trust? As human beings, we have the tendency to trust others, even if we like to think so or not. In the new digital age of social engineering, the attacks are going beyond your typical obvious looking phishing attacks with fake company logos, fake help desk phone calls – however, more sophisticated attacks are emerging that go beyond amateur means.
Social Engineering: The Clever Manipulation Of The Natural Human Tendency To Trust
These increasingly sop[sophisticated threats require a mix of people, processes, and technical safeguards in order to protect an organization.
Using both high-tech and low-tech strategies, today’s social engineering attacks look and feel more convincing, targeted and effective than before. Almost seven in ten companies say they’ve experienced phishing and social engineering attacks. What is most important is to understand the threat in order to minimize the risk.
Knowing The Threat
Today’s phishing emails look very similar to communications coming from the companies they are imitating. These emails can contain personal details of targeted victims, thus making the email seem more convincing. In the most recent United States presidential election, hackers utilized a phishing email that appeared to come from Google to access their accounts and release top campaign manager’s emails. In another case, a social-engineering attack manipulated a call-center workers to get customer banking password. Another way is to target the data that is displayed on a laptop or mobile-device. An attacker can pose as a trusted vendor in an office or a business associate in a foreign county can capture data with a smartphone or hidden recording device.
3-Layered Defense
- Humans: Provide ongoing training to educate your workers about social-engineering threats, and procedures in order to prevent the threats from materializing. All employees who handle sensitive information (Ex: HR, Sales, Accounting) should be fully engaged in these training seminars.
- Processes: Develop and deploy policies that encourage workers not to click on suspicious links or to provide information outside organizations without confirming. Developing the procedures that can also inform the IT department of attempted attacks to better understand the vulnerabilities and properly protect the organization.
- Technology: Security controls, perimeter controls, anti-virus, intrusion detection/prevention systems are vital. Including security intelligence tools that understand the security ecosystem and potential risks that may be faced.
Always evolving is the key against social engineering attacks. Just simply slapping down a piece of technology and hoping that it will safeguard you against the ever-evolving social attacks is a recipe for great loss to your organization. This is no longer an I.T. problem, it is an organization problem.