“People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems.”
Bruce Schneier wrote this in his book, “Secrets and Lies: Digital Security in a Networked World” published in 2000. The notion holds true in 2023 and is cemented by data from Verizon that shows 74% of data breaches involve the human element in 2023. In 2022, organizations across the globe received 2.7 phishing emails per day on average, and the average cost of social engineering attacks was $130,000.
Social engineering, by definition, bypasses an organization’s information security apparatus and targets employees and even CEOs. But that does not make an organization powerless against the social engineering threat. Business leaders can prevent social engineering attacks with the right policies and procedures. This post will highlight company-wide policy implementations’ role in reducing socially engineered cyberattacks and security breaches.
Types of social engineering attack techniques
A wide variety of methods are used to mount social engineering attacks. Although they use different mediums, the goal is always the psychological manipulation of human beings. This section will discuss hackers’ more popular social engineering tactics.
Phishing is one of the most common modes of SE attacks. It involves using fabricated communications to coerce victims into divulging credentials or other sensitive information. Phishing can be enacted through emails, SMS, landing pages, etc. The end goal of phishing is to either get information or to make the target perform an action like downloading a piece of malware.
Tailgating is a physical manifestation of social engineering where an unauthorized person tries to get into a restricted area by closely following a legitimate visitor who might, out of human courtesy, hold the door open for the infiltrator.
Baiting is a form of social engineering where the target is offered an enticing reward in exchange for sharing credentials or clicking on a link.
Pretexting is often considered a part of phishing attacks. This is where the attacker creates a carefully articulated scenario to manipulate the target into sharing sensitive information.
In Water hole attacks, the malicious actor identifies sites that are regularly used by the targets. Then, they create a clone of the site and lure the targets into the fake site to infect their systems with malware.
These attacks can be further classified into sub-categories based on their mediums, nature, and targets. The scope of this article doesn’t allow a detailed discussion of different types of social engineering attacks and how to prevent them. We shall focus on the policies and procedures that can help reduce such attacks.
Policies to prevent social engineering
Employees who encounter a phishing email or accidentally share information with a potential bad actor often do not know how to proceed. They are not sure whom they should inform, what actions they should take, and most importantly, how they can avoid such situations to begin with.
This is why cybersecurity policies need to be laid out clearly before every employee and they should receive formal training on how to abide by those policies.
Important policies to prevent social engineering
The following sections will shed light on policies pertaining to different aspects of information security that can help thwart different types of attacks. The points mentioned here should be taken as models or examples that can be applied to specific business cases with necessary adjustments.
Security awareness training
Security awareness training makes the employees of an organization more challenging targets for phishing attacks but only if they remember the training. Companies can organize frequent practical drills to assess the attack readiness of their employees. These can be done through phishing simulations and other social engineering simulations. Psychological resistance against social engineering is only achievable through consistent practice.
Shadow IT policies
Connecting personal devices to organizational networks has become a common practice. As such, the actions of an employee outside the work can affect the organization. For instance, let’s say an employee falls prey to phishing while browsing the internet and the hackers get remote access to that employee’s computer. When that individual logs into an application the organisation uses, the bad actors get unauthorized access to data.
To prevent this, organizations need strict policies to bring shadow IT into the light. Every application on every computer connected to the organization’s network should be reviewed by the IT department. Companies can use Shadow IT monitoring tools to make things easier.
There is a crucial relationship between authentication and phishing. Consider this scenario: An individual receives an email from Amazon that says that she has won a special discount on a specific product for a short period (the product is usually something the individual had recently searched for). All she needs to do is click on a link and log into her account. She clicks on the link and lands on a login portal where she types her credentials in.
The email was fake and the login portal was a phishing site. Hackers now have access to the individual’s account and they can change the password and place orders using the in-app credit feature. The individual becomes a victim of social engineering.
Had the individual implemented two-factor authentication for her account, the hackers would not have been able to crack into it.
Every account for every application connected to the organization’s network needs two-factor authentication. It strengthens the defence against cyberattacks like social engineering and password cracking to a certain degree.
Is implementing 2-FA enough?
Unfortunately, it is not.
Consider this: The hacker steals the username and password for a specific account through a phishing site. Remember, the victim also tries to log into her account by typing in the credentials. She’d expect a 2-FA pin on her phone or another device. The hacker must create a clone of the 2-FA user input field where the victim can type the pin in.
Multifactor authentication adds a layer of authentication to 2-FA, it usually involves the use of biometric data or incorporates a third device or applications in the authentication process. It complicates the login procedure and eats up a lot of time. Hence, MFA is not extremely popular among workers.
Automated employee login
Employees could not accidentally share their credentials if they did not have them to begin with. With Uniqkey’s automated employee logins feature, individuals can log into various work accounts without ever typing in the usernames and passwords or reading the 2FA PIN. The password manager handles the whole process from password generation to employee authentication.
Access control policies
The principle of the least privilege is to be applied to all employees across departments. Employees should have access to what they need for as long as needed. There should be swift onboarding and offboarding procedures in place that ensure access is granted and revoked aptly. Uniqkey’s centralized access management system can be of great assistance in this.
Social media policies
Social media platforms are incredible mediums for hackers to gather publicly available information about individuals. The amount of information available publicly is directly proportionate with the depth of a piece of fabricated communication.
People who overshare on social media are targeted with scams more often. While social media activity lies in the realm of personal affairs, organizations can share recommendations for social media settings that can be important to prevent social engineering.
General security measures
Implementing antivirus and firewalls is a must for organizations with internet-facing computers. The IT department has to ensure that all employees – regulars, part-timers, and contractors – are protected by firewalls and antivirus.
Regular security testing helps an organization find existing vulnerabilities, backdoors, misconfigurations, etc.
The use of password managers can significantly reduce the risk and impact of social engineering attacks.
Installing spam filters can block a larger portion of spam and phishing emails.
A culture of security
A company is genuinely secure when its employees accept security as one of the core operational values like revenue, leads, and conversions. This can happen with carefully orchestrated training, easily understandable policies, and simple and easy-to-follow procedures. When an organization hosts a culture of security, social engineers automatically move on to the next target.