As good as many of our IT solutions have become at thwarting security threats, some incidents can’t be 100% prevented by technology. The threats from social engineering are one of them. Within the realm of IT security, social engineering is the art of manipulating people so they unknowingly give up confidential information.
The types of information criminals are looking for can vary but, when someone is targeted, criminals are usually trying to trick them into providing website user ids and passwords, social security numbers, or credit card and banking information. Social engineering can also be used to secure company network logins, allowing access to your computer. Once inside, malicious software can be secretly installed that allows a criminal to quietly steal confidential company or personal information or control a device.
Cybercriminals use social engineering tactics for two reasons. First, because it is usually a lot easier to exploit a person’s natural inclination to trust, than it is to discover ways to hack their information. Second because, so often, it works.
At its core, security is about knowing who and what to trust. Knowing when to trust that the person you are communicating with is indeed the person you think you are communicating with; when to trust that a website is legitimate; when providing your information is or isn’t a good idea.
The Weakest Link
Security professionals will tell you that the weakest link in the chain is the human being who accepts a person or scenario at face value. There are some people who will invariably trust the person in the email who says that they need all employee W-2 information sent to them immediately, or that access to their online banking accounts have been revoked. If you don’t know the sender is legitimate, it doesn’t matter how many layers of technology you have in place; you are completely exposed to whatever risk that scenario represents.
The art of manipulating people into providing access to confidential information isn’t new; and it doesn’t even have to require the use of technology. It can also result from someone providing password information over the phone; or someone talking their way past a security guard and gaining physical access to a restricted area.
In each of these cases, there are few technical controls that can be used to prevent this sort of attack. So, in addition to the physical and technological layers of security you use, you should also teach your users to be aware of these kinds of threats and how to deal with them.
It’s important to understand that focusing attention on security awareness is key to reinforcing more responsible behavior. Information security is everyone’s responsibility. That means security awareness should be taught to, and expected from, your entire organization; from top executives all the way down.
Should my company invest in cybersecurity awareness training?
In a word, yes. One of the best ways of fortifying the weakest link in the chain is through the use and enforcement of cybersecurity policy along with cybersecurity awareness training. It’s important for every organization, regardless of size, to have (and apply) a documented set of rules and practices surrounding IT security (a security policy).
Adding an awareness training program—one that covers topics including social engineering (with or without the use of technology), phishing, acceptable use of information, password management, data encryption and incident reporting—can play a significant role in further reducing data breach incidents.
Awareness training also raises the level of understanding about why information security is a vital aspect of your organization, what the consequences of security incidents are, and what’s expected of them. In certain industries having formal information security awareness program is not even an option, since regulations including FISMA, HIPAA and GLBA require it.
Whether your organization is subject to government regulation or not, at the end of the day, the main goal of security awareness is to provide a greater level of protection. An awareness training program helps ensure employees are better aware of policies, understand the basic controls in place, know how to spot/avoid potential security threats, as well as report an incident.
This information can go a long way in reducing your overall business risks and costs, and foster a more security-minded organizational culture. If you’d like more information on how to implement a security awareness training program at your organization, see our handout on Security Awareness Training.