Social engineering can bypass any enterprise data security defense. No amount of software or hardware can prevent unsuspecting and uninformed users with access to systems and services.
When one puts their faith and confidence in a person who ultimately has access to our computers and security systems, we set ourselves up to be exploited. We may have the very best in security measures, but human psychology is something we can’t protect ourselves against with just software or hardware. Social engineering protection requires education and insight.
Social engineering is the psychological manipulation of people’s minds in an attempt to influence them into divulging confidential information. An attacker will work diligently to gain the user’s confidence in order to gain access to information or to a system, and they do this by providing false information.
Human-based enterprise data attacks involve interaction between two people in order to obtain sensitive information or are malicious acts performed in the enterprise.
The human side of social engineering preys on a person’s natural tendency to be helpful and considerate. Once the attacker has gained the user’s confidence, the groundwork has been laid for the attacker to obtain all kinds of information, from eavesdropping and collecting personal information, to impersonating authenticated users and breaking general business practices.
The attacker poses as a high-authority figure and uses this status to request access to computer files and other data. The social engineer overpowers employees with their superiority in an effort to gain access to log in information and the employee feels they have no choice but to provide the high-authority figure with the information requested. They may fear losing their job or at least a verbal complaint being made against them.
With this kind of attack, the perpetrator acts as a valid user of the system or an employee. As such the attacker is able to gain valuable data from desktops, trashcans, and PC systems. The attacker may pose as a help desk employee, a contractor, technical support, or other third party in order to gain easy access to the information they are seeking.
Attackers could also pose as a valid authorized person with full access to a systems or information that is not available to them for some reason. The attacker (social engineer) poses as the authorized person and encourages the 3rd party to share sensitive details or enable them to invade the system, accessing data or circumventing business processes.
In this instance, the attacker poses as a technical support professional and attempts to obtain information via a phone call. The social engineer explains the need for access to log in information in order to troubleshoot network problems in the office computers. Unfortunately, when confronted with this request, an uneducated or unsure staff member might provide the attacker with this information.
Protecting users against social engineering means enhancing technology and policies along with effective user education.
Most security policies are documents hidden from the typical enterprise users. It might be a document signed on the first day on the job and then rarely discussed again. Educating users on security practices needs to be more than a step in employee orientation or a once a year checklist item.
Effective security training need to be frequent, focused, and brief. Rather than being an afterthought, administrators can schedule mini sessions, online modules, or even quick quizzes and games for users on a regular basis where topics are easy to understand and remember and short enough for users to fit into their busy schedules.
Pointing out real life cases of social engineering and social engineering in the news can help increase user awareness of the threat that the attack poses to enterprise data. If users are notified of attempts or attacks in the news, it will make them more apt to recognize the signs of a social engineering attack when it happens to them.
As users are educated on the signs of social engineering attacks and learn to recognize them, it's critical that enterprise administrators support users with the right processes to protect data when user training and awareness breaks down. Adding layers of protection to enterprise data security can ensure that information stays safe even when some of the elements of security policy break down.Multi-factor authentication is one key to helping enterprises keep information out of the hands of bad actors. Administrators can use multi-factor authentication to add restrictions in order to access the most sensitive data on network resources. If network user can access a system, but the system requires verified users to have a token or certificate to access data, enterprises remains safe—even from social engineering attacks.
In addition to multiple security layers, adding people layers improves data protection. By requiring multiple users to perform the most critical system tasks or requiring multiple user verifications to access ultra sensitive information, enterprises can make social engineering more difficult in their organization.
As administrators leverage existing technology along with user education and best practices, they can protect the enterprise and sensitive data from social engineering attacks. However, every user is responsible for security best practices. There needs to be a shift in the enterprise mindset of data security being an IT initiative to protecting the enterprise from social engineering becoming part of every user's day-to-day responsibility.