And when it comes to attacking companies, it's an effective method of obtaining information. Plus, because it is a non-technical process, social engineers only need a basic amount of technical knowledge and human interaction to deceive people into disclosing vital company information that can compromise a network’s security. The worst part is that if a social engineer is successful at gaining access to a company’s network, it can put the company at risk.
Social engineers use a number of different methods to gain access to an organization. Fortunately, there are some things companies can teach their employees as a form of protection.
Want to keep your corporate network safe? Here are a few simple pitfalls employees should learn to avoid.
Revealing PasswordsObtaining the passwords that staff use to gain entry into a network is a straightforward method used by social engineers. As such, employees should be instructed to avoid writing their passwords down or giving them out over email or on the phone. In rare cases, a password may be required by a real IT staff member, but it should always be given out in person. (For related reading, check out 7 Sneaky Ways Hackers Can Get Your Facebook Password.)
Leaving Unauthorized Personnel UnattendedIn some cases, social engineering is as simple as looking over a user's shoulder when he or she logs on to a secure network. Social engineers can physically infiltrate companies by portraying themselves as employees or authority figures. In a worst-case scenario, a social engineer who is granted access to a building will gain internal access to the company’s network, where they can begin launching attacks on it. That's why as a general rule, unauthorized guests should not be left unattended, especially in areas with direct access to the company's network.
Disclosing Corporate IT InformationA company’s IT information can be used by social engineers to gain access to a company's network. A common method used by social engineers to obtain information about a company is to portray themselves as a technical support officer for one of the products the company actually uses. Social engineers will often call up a number of employees and ask them to take a survey for research purposes; in reality, this is a simple way of deceiving employees into giving out confidential company IT information.
To prevent social engineering attacks of this sort, it is important to educate staff on the dangers of disclosing IT information to unauthorized figures and to establish a policy of only allowing IT staff to handle any calls about the company’s IT infrastructure.
Failing to Monitor Personal Accounts and InformationEmployees often access personal accounts, such as bank accounts and credit cards, online while at work. For personal protection, people should stay on top of their account summaries and credit scores to minimize the risk of identity theft or credit card fraud. Keeping an eye on all personal accounts and removing any confidential information published on public websites is also important.
Employees should also be instructed to avoid using the same password for different applications, whether in their personal lives or at work. This can help contain the damage if one account is hacked.
Failing to Inform Staff about SecurityIf there's one thing that social engineers can exploit, it's ignorance. As such, it's a good habit to regularly discuss security-related topics with staff and inform them about the methods used by social engineers. This will help them to make better judgments if they do come up against a clever social engineer. Discussing ways of minimizing the risk of social engineering attacks with staff can also be useful because not only will it guard the company against potential attacks, but it will also make it easier to detect attacks if they do occur.
According to the 2012 Verizon Data Breach Investigations Report, social engineering tactics accounted for about 14 percent of the data breaches recorded in 2012. The reality is that social engineering works, which means that criminals are likely to continue to use it to gain access to company networks. The first line of defense against these attacks, however, is a clearly defined set of security policies and a well-informed staff. Social engineers only succeed if they're able to trick someone into slipping them an important piece of information. In that sense, employees - not technologies - are the first line of defense.