In 2022, Google blocked 100 million phishing emails daily. 48% of all emails sent last year were spam and phishing attempts. Social engineering is one of the most important tools in an average hacker’s arsenal.
It has been consistently effective and very hard to eliminate. That is why social engineering attacks are so popular and used so widely. Nevertheless, organizations can strengthen their defence against social engineering attacks by training employees to detect social engineering tactics.
This post will discuss steps an organization can take to spread awareness about social engineering among its employees and build a strong security culture. Before delving into the training methods and best practices, it is important to be familiar with common social engineering tactics.
The importance of security awareness training
A computer would take 34,000 years to crack a 12-character password with at least one upper-case letter, one lower-case letter, one symbol, and one number. With the world’s current computational prowess, breaking 256-bit encryption could take millions of years.
Even getting a malware payload past firewalls and attack surface monitoring systems is quite hard. It takes a lot of preparation and technical prowess. Tricking people into sharing credentials and access to sensitive files is much easier than most cyberattack methods.
Security awareness training helps an organization remediate its most easily exploitable vulnerability to its people. Here is what a security awareness training program can do for a team.
- Enable them to discern between legitimate and illegitimate communication
- Make them comfortable with the security policies and codes of conduct
- Provide simple and clear guidelines to follow in the event of spotting a social engineering attempt
- Imbibe secure habits and practices in regular operations
Implementing social engineering awareness training
Two notions need to be dispelled straight away:
One, social engineering and cyber security are IT issues. They are not. They are business issues. If a social engineer steals a salesperson’s credentials to log into a company’s ERP software, sensitive data will still be exposed.
Two, a crash course on recognizing social engineering when onboarding an employee prepares them to detect and prevent social engineering in real life. It does not. The goal should be to build a culture of security not to overwhelm a newcomer with information they will not retain for more than a month.
Training employees to recognize social engineering attacks
- Show, not tell employees what social engineering is.
- Discuss different types of social engineering with practical examples
- Lay down the do’s and don’ts in terms of preventing social engineering
For instance, employers can hire an information security expert to talk about phishing for an hour. The lecture goes deep into the psychology of phishing and also highlights various physical markers that may help an individual distinguish between legitimate and malicious emails.
- Build a team of social engineers who would apply common tactics to trick other employees randomly.
- Run a phishing simulation.
- Make it a fun activity to detect phishing emails and prevent social engineering attacks.
The social engineering team can call an individual and pretend to be a senior manager. They can then ask for access to a sensitive document. Or, the social engineers can leave a USB drive at the office canteen to see how employees react to it.
Create clear, accessible, and comprehensive policies around social engineering. Employers and employees alike should have thorough guidelines on what to do if
- They receive a phishing email
- Receive a voice call from an impersonator
- If they have accidentally exposed sensitive information
- If they encounter any social engineering attempt
4. General code of conduct
While there are designated security personnel in an organization, being vigilant is something every employee should practice because if they do not, they would be taken for weak links and targeted. These are some simple workplace practices that can make a difference.
- ID everyone trying to access secure areas
- Do not use a USB device unless it is provided by the IT department.
- Report lost/stolen badges within 12 hours of discovery.
- Raise an alert as soon as an attempted social engineering attack is discovered.
5. Consistency and continuity
Any effort to educate employees about social engineering can be fruitful only if the effort is repeated and integrated with regular operations. The importance of building a culture of security where people almost instinctively know what not to do cannot be emphasized enough.
The social engineering awareness training has to be frequent, inclusive, and most important, up-to-date.
No organization is completely hack-proof. But for small and mid-size companies, avoiding a cyberattack often comes down to being a little better prepared than others. So, businesses where employees haven’t been trained to recognize social engineering techniques run a higher risk of being attacked.
The limitations of social engineering training
While there is no alternative to training employees to detect psychological hacks, it might not be enough. An organization with an employee strength of 200 has 200 people to train, whereas the hacker has to find just one vulnerable individual to perform a data breach.
- Human psychology is variable, and people may react to social engineering tactics differently under different circumstances.
- Phishing attacks and other types of socially engineered attacks are more and more sophisticated.
- Attackers are adapting to the countermeasures.
The solution is to move the onus of securing data and credentials away from the workers. This is where powerful password management and access management tools like Uniqkey come into play.
With Uniqkey, organizations can enable automated employee login, eliminating the need to remember or even know credentials to online service accounts. With features like secure password sharing, the chance of unwittingly sharing a password with an impersonator is eliminated. The shadow IT dashboard and access logs detect any anomalous activity immediately.
5 Social Engineering Attack Methods to Be Aware of
Social engineering attack methodologies are often intertwined. Attackers combine methods to find quicker and more effective hacking methods into the human mind. It is hard to discern between a phishing attack and a baiting attack as both use illegitimate communication and misinformation to coerce victims into making bad decisions. The difference is often in the psychology behind a social engineering attack.
Phishing can be broadly defined as deceptive online tactics to manipulate individuals into divulging sensitive information or performing harmful actions.
A very wide spectrum of cyber attack methodologies are associated with phishing. From fake emails trying to make someone share personal information to AI-powered voice calls impersonating a senior executive – all come under the umbrella of phishing with different names.
There are many sub-categories of phishing such as
- Smishing: Phishing via SMS
- Vishing: Phishing via phone calls
- Whaling: When hackers try to phish high-level executive
- Baiting: Enticing victims to perform an action in return for a reward
Pretexting is the process of fabricating a scenario combining truth and misinformation to gain the trust of an individual and persuade them to perform an action.
Pretexting is often used with phishing to gain access to information or deliver malicious payloads.
3. Quid Pro Quo
In a quid pro quo attack, the attacker offers something in return for information. It draws on the psychological phenomenon of reciprocity and trust. It exploits the human tendency to return a favor. Attackers often create a fake problem and offer to solve it in return for sensitive information or access to a system.
In conjunction with phishing and pretexting, a quid pro quo attack can be quite effective.
Impersonation is one of the most commonly used tactics of social engineering. Attackers gather information about people close to the victim – colleagues, seniors, someone with authority over them – and simply impersonate them through written, and thanks to AI, verbal conversation.
Tailgating is a more physical form of social engineering where attackers exploit the human tendency to hold the door for the person following closely. They can try to gain access to physical areas secured by access cards using the tailgating method. Tailgating also involves impersonation, as the attackers fit into the environment.
All of these methods rely on the principles of persuasion applied to various psychological tendencies and biases exhibited by human beings. Just to be clear, employers are just as susceptible to socially engineered cyberattacks as employees.
Social engineering awareness training is essential to reduce the impact of such attacks on businesses; a password vault with military-grade encryption powered by zero-knowledge technology surely helps.
Uniqkey’s eliminates the need for employees to remember multiple passwords, making it more difficult for attackers to exploit weak passwords. Uniqkey’s two-factor authentication (2FA) solution adds an extra layer of security by requiring users to provide something they know (password) and something they have (token) to authenticate. Uniqkey’s risk-based access control (RBAC) solution allows organizations to dynamically control access to resources based on the user’s role, location, and other factors.