Cyber Security Hub’s Mid-Year Market Report 2022 found that 75% of respondents cited social engineering and phishing as the top threat to their organisation. These results come in the wake of warnings from researchers such as Check Point Research about how AI-enabled technologies, such as ChatGPT, can be used to create convincing phishing emails.
Social engineering is an insidious scam technique used because it works. To be socially engineered is to be exploited using the exact behaviour you use daily. Because hackers understand how to manipulate people at a basic level, it can be hard to identify attacks. Here, MetaCompliance goes through the process needed to ensure that your employees do not become victims of a social engineering attack.
Three Steps to Avoid Social Engineering Attacks
Social engineering attack prevention, in all its forms, requires processes and tools and should be considered a multi-pronged approach. There are three core elements that are used together help to ensure that your organisation and employees are ready to tackle any form of social engineering used to carry out a cyber security attack:
- Strategies: build social engineering into your security strategy.
- Personalise: train employees on social engineering threats that they are most likely to experience.
- Report: Encourage incident reporting to improve your response to an attack that involves social engineering.
Strategize: Ensure Your Security Strategy Reflects Real-World Attacks
Social engineering attacks cover many scenarios, from phishing to relationship manipulation to physical versions of social engineering such as ‘tailgating‘. Often, hackers use a mix of in-real-life and digital tricks as part of a sophisticated security attack.
Spear phishing emails, for example, can be very difficult to detect and are often used as a popular way to gain access to password credentials or personal information. Often these multi-stage attacks can involve malware downloads and create a sense of urgency to encourage the recipient to act without thinking.
To ensure that your organisation covers all these scenarios, build a security strategy that includes detection measures, reporting procedures for security incidents, incident response plans, and how to carry out security and privacy audits.
Your strategic planning must include how to mitigate the impact of social engineering; this will consist of Security Awareness Training that involves social engineering role play. Once in place, your security strategy and response plans must be regularly reviewed and updated in line with the changing threat landscape and new opportunities afforded by technology and working patterns, such as remote work.
Personalise Security Awareness Training
Carry out Security Awareness Training sessions with employees that are based on specific threats. This means that those training sessions are performed based on an employee’s role; different employee roles typically attract different types of social engineering attacks.
For example, Business Email Compromise (BEC) scams tend to use social engineering to target personnel working in accounts payable or C-level executives because these roles control company finances.
One recent report from Abnormal Security that looked at email threats found that around 28% of targeted employees would open a BEC text message; of those opening these BEC-related messages, 15% went on to reply to them, thus engaging with the fraudster and open the door to further social engineering.
Tailor your Security Awareness Training to perform roles-based training focusing on core threats. Use a platform that offers role-based templates for use with phishing simulation exercises. Create phishing simulations and training sessions focusing on the type of threats an individual employee or department will likely experience.
Encourage Security Incident Reporting
The Abnormal Security report also found that only 2.1% of security incidents were reported to the organisation’s security team. This leaves a gaping hole in the ability to respond to an ongoing attack quickly.
Because social engineering is often part of a chain of events leading to outcomes such as financial theft or ransomware infection, having early warning of an ongoing incident can provide the intelligence needed to stop the attack in its tracks and mitigate the attack’s harm.
It is essential to provide a way to report incidents easily and cultivate an environment of no blame to encourage incident reporting by employees. Organisations should not solely rely on firewalls or spam filters to prevent these types of attacks.
Instead, give your employees the ability to report a cyber incident. Reporting an incident can help alleviate the impact by escalating its response to a knowledgeable employee. Importantly, offer employees a safe place to record the details of the incident, such as a dedicated security incident reporting portal.
Using the incident information input by the employee, the security team can triage the incident, set response priorities, and initiate security protocols. For example, the MetaCompliance MetaIncident console is a lifecycle incident management system that includes an incident register to manage issues. The ability to audit incident reporting and responses and generate reports using the data from a security incident is also helpful for proof of compliance with regulations.
Social engineering is likely to continue to challenge an organisation. New technologies such as AI-enabled interfaces will allow fraudsters to build even more sophisticated social engineering tools. However, a company can stop this insidious threat by developing focused education programs and integrating incident reporting into everyday work.