Stopping Social Engineering: Who's Looking Over Your Shoulder?
Social engineering might be low tech, but it works. That means that protecting against it isn't so much about technology as it is about teaching staff how to stay safe.
Have you ever received an email you knew was a virus, but were tempted to click on it anyway? Or maybe you've been fooled by a fake Facebook link for a free coffee? Tiny scams like this use social engineering, and they can have a big impact on personal – and corporate – computer security. Social engineers take advantage of human behavior to pull off a scam, whether that's appealing to our desire to read the latest gossip or save a few dollars at Starbucks. (To see some of the effects of hacking, check out The Most Devastating Computer Viruses.)
And when it comes to attacking companies, it's an effective method of obtaining information. Plus, because it is a non-technical process, social engineers only need a basic amount of technical knowledge and human interaction to deceive people into disclosing vital company information that can compromise a network’s security. The worst part is that if a social engineer is successful at gaining access to a company’s network, it can put the company at risk.
Social engineers use a number of different methods to gain access to an organization. Fortunately, there are some things companies can teach their employees as a form of protection.
Want to keep your corporate network safe? Here are a few simple pitfalls employees should learn to avoid.
Obtaining the passwords that staff use to gain entry into a network is a straightforward method used by social engineers. As such, employees should be instructed to avoid writing their passwords down or giving them out over email or on the phone. In rare cases, a password may be required by a real IT staff member, but it should always be given out in person. (For related reading, check out 6 Sneaky Ways Hackers Can Get Your Facebook Password.)
Leaving Unauthorized Personnel Unattended
In some cases, social engineering is as simple as looking over a user's shoulder when he or she logs on to a secure network. Social engineers can physically infiltrate companies by portraying themselves as employees or authority figures. In a worst-case scenario, a social engineer who is granted access to a building will gain internal access to the company’s network, where they can begin launching attacks on it. That's why as a general rule, unauthorized guests should not be left unattended, especially in areas with direct access to the company's network.
Disclosing Corporate IT Information
A company’s IT information can be used by social engineers to gain access to a company's network. A common method used by social engineers to obtain information about a company is to portray themselves as a technical support officer for one of the products the company actually uses. Social engineers will often call up a number of employees and ask them to take a survey for research purposes; in reality, this is a simple way of deceiving employees into giving out confidential company IT information.
To prevent social engineering attacks of this sort, it is important to educate staff on the dangers of disclosing IT information to unauthorized figures and to establish a policy of only allowing IT staff to handle any calls about the company’s IT infrastructure.
Failing to Monitor Personal Accounts and Information
Employees often access personal accounts, such as bank accounts and credit cards, online while at work. For personal protection, people should stay on top of their account summaries and credit scores to minimize the risk of identity theft or credit card fraud. Keeping an eye on all personal accounts and removing any confidential information published on public websites is also important.
Employees should also be instructed to avoid using the same password for different applications, whether in their personal lives or at work. This can help contain the damage if one account is hacked.
Failing to Inform Staff About Security
If there's one thing that social engineers can exploit, it's ignorance. As such, it's a good habit to regularly discuss security-related topics with staff and inform them about the methods used by social engineers. This will help them to make better judgments if they do come up against a clever social engineer. Discussing ways of minimizing the risk of social engineering attacks with staff can also be useful because not only will it guard the company against potential attacks, but it will also make it easier to detect attacks if they do occur.
According to the 2017 Verizon Data Breach Investigations Report, social engineering tactics accounted for about 90 percent of the data breaches recorded in 2017. The reality is that social engineering works, which means that criminals are likely to continue to use it to gain access to company networks. The first line of defense against these attacks, however, is a clearly defined set of security policies and a well-informed staff. Social engineers only succeed if they're able to trick someone into slipping them an important piece of information. In that sense, employees – not technologies – are the first line of defense.