Businesses Threatened by Social Engineering Attacks: Top 3 Essential Tips to Protect Yourself
People know that the criminals stand to make some serious money if they steal sensitive data, especially when the said data belongs to a corporation. What they don't always realize is just how the bad guys get their hands on the loot. Often, it has nothing to do with physical access. It might not have anything to do with hacking the company's IT infrastructure, either. In fact, some people think that when it comes to data security, the biggest threat companies face is social engineering. Today, we'll try to give you some tips on what you can do to protect your company's data from conmen who use deceit rather than technical skills to steal corporate information.
- Use technology to protect your data
- Raise as much awareness as possible
- Control access to the organization's online assets
People think that social engineering has more to do with human psychology rather than electronic devices. They often reckon that protection against social engineering should be built in the brain rather than in the IT infrastructure. This is not strictly true.
In July of last year, for example, Google proudly announced that ever since it gave its employees YubiKeys and forced them to use two-factor authentication (2FA), it hasn't registered a single successful phishing attack. Considering the fact that a whopping 85 thousand people work for the Silicon Valley behemoth, this is quite an achievement.
As you can see, it's important not only to train employees to use two-factor authentication, but it's also crucial to choose the most secure form of 2FA. And they don't come any more secure than U2F hardware tokens.
Other pieces of technology can also help. A solid password management solution, for example, gives employees an easy way of avoiding weak passwords and password reuse (two things that can make a social engineering attack fairly easy to pull off). A password manager with auto-fill functionality will also fill in the login credentials only if the URL is correct which could also help employees avoid giving away their usernames and passwords. It should go without saying that companies should think about investing in security software if they haven't already.
The size of the investment depends on the size of the organization and the potential damage. Common sense dictates, however, that anti-phishing and malware filters should fend off most social engineered emails (the most common attack vector), and if a malicious file does get through, a security product installed on the employees' computers could act as a last line of defense.
So, technology can help businesses protect themselves from social engineering attacks. It is far from enough, though.
Many people say that when it comes to cybersecurity, the human is the weakest link. We reckon, however, that a more accurate statement would be that the weakest link is the human who doesn't know any better.
Many organizations wrongly assume that their team is too good to fall for a social engineering attack. They also tend to underestimate the attackers, and when things eventually end up horribly wrong, they don't even know what hit them.
Prevention, as the cliché says, is the mother of all cures, and when it comes to social engineering in the corporate world, prevention involves a bit more than installing the latest piece of security software on employees' computers. People should get to know the threat, and, more importantly, they should realize just how real it is.
Some corporations think that the best way to do this is to put all employees in a conference room and treat them to a PowerPoint presentation. Others take an even more impersonal approach and instead send an email with a few "MUST READ" articles on social engineering.
As another cliché says, experience is the mother of wisdom, and if we have to go by that one, the training methods listed above shouldn't be terribly effective. Indeed, most activities that involve a PowerPoint presentation usually produce more yawns than education, and there's no denying the fact that employees and managers don't always see eye to eye when it comes to what's useful and what isn't.
The upshot is that if people are to know how dangerous social engineering is, they need to see it for themselves. Training them by simulating attacks is the way to go. Better still, if you can hire experts to prepare the simulation, your employees will get a more realistic experience. Don't rely on a single training session, though. Attacks evolve with time, the schemes become more elaborate, and although there are recurring themes, they exploit weaknesses (both human and technological) that haven't been abused before. Keep your employees up-to-date with the latest trends and make sure that they're alert at all times. Last but not least, prepare yourself for the worst.
Even with the best security products in place and with the most knowledgeable employees, you should never assume that the bad guys won't be able to con their way into your company. On the contrary – your best bet is to get used to living with the thought that sooner or later, they will break in. It's up to you to ensure that when they do, they won't be able to walk away with a lot.
You must make sure that the damage is contained as much as possible and the only way to do that is to impose limits on what employees must and mustn't access. To keep the morale up, you should think about what you can do to explain the reasons for your decisions. People must know that a lack of trust has nothing to do with the access limits. If a particular person can't get to a certain piece of information, it's not because they're not good enough to handle it. It's because they don't need it to do their job. Obviously, if a certain type of data is required for the task in hand, it must be available.
This ensures that if things go wrong, as little information as possible is put at risk. Pay particularly close attention to the people who are most likely to be attacked. Managers and C-class employees tend to think that since they are the ones calling the shots, there should be no off-limits zones for them. The reality, as is often the case, is a bit different. Try to explain to them what the repercussions of having unlimited access could be, and make sure that they are aware of what you're doing and why. In the end, it's their call, but you can at least let them know what's best for them.
One more problem modern businesses face is the so-called Bring Your Own Device (or BYOD) policy. The trend of employees using their personal laptops, smartphones, and tablets for work purposes has been particularly strong in recent years. More and more people want to do it, and more and more organizations are starting to allow it, saying that it has obvious productivity gains. Nevertheless, the security risks should be obvious. Try to weigh the advantages and disadvantages carefully, and if you do decide to allow it, make sure that there are strict rules as to what can be used and when. When there is so much at stake, you can never be too careful.
Unfortunately, there isn't (and there never will be) a step-by-step algorithm that can guarantee successful protection against social engineering scams. In fact, the tips we listed above might be nowhere near enough to shield your organization against this kind of activity. They should help you acquire the right mindset, though, which is very important if you want to correctly assess what your company needs.