Nate Lord | October 23, 2015

Social Engineering Attacks: Common Techniques & How to Prevent an Attack

Social engineering attacks are not only becoming more common against enterprises and SMBs, but they're also increasingly sophisticated. With hackers devising ever-more clever methods for fooling employees and individuals into handing over valuable company data, enterprises must use due diligence in an effort to stay two steps ahead of cyber criminals.

Social engineering attacks typically involve some form of psychological manipulation, fooling otherwise unsuspecting users or employees into handing over confidential or sensitive data. Commonly, social engineering involves email or other communication that invokes urgency, fear, or similar emotions in the victim, leading the victim to promptly reveal sensitive information, click a malicious link, or open a malicious file. Because social engineering involves a human element, preventing these attacks can be tricky for enterprises.

October is National Cyber Security Awareness Month, and in recognition of the initiative we wanted to educate companies, employees, and end users on how to better recognize social engineering efforts and prevent these attacks from succeeding. To uncover some of the most common social engineering attacks being used against modern enterprises and get tips on how to avoid them, we asked a panel of data security experts and business leaders to answer the following question:

"What are the common social engineering attacks made on companies, and how can they be prevented?"

See what our experts had to say below:

Joe Ferrara

@WombatSecurity

Joe Ferrara is President and CEO of Wombat Security Technologies. Joining Wombat in 2011, Joe brings 20 years of experience in technology marketing, operations and management to his role as President and CEO. Recently Joe was a finalist for EY Entrepreneur Of The Year Western Pennsylvania and West Virginia and received a CEO of the Year award from CEO World. Joe has provided expert commentary and has spoken at numerous information security industry events including RSA Europe, the CISO Executive Network forum, ISSA International, and information security regional conferences.

My advice for companies related to the increasing prevalence of social engineering attacks is...

Commonly defined as the art of exploiting human psychology to gain access to buildings, systems, or data, social engineering is evolving so rapidly that technology solutions, security policies, and operational procedures alone cannot protect critical resources. A recent Check Point sponsored survey revealed that 43 percent of the IT professionals surveyed said they had been targeted by social engineering schemes. The survey also found that new employees are the most susceptible to attacks, with 60 percent citing recent hires as being at high risk for social engineering.

Companies should:

  • Take a baseline assessment of employee understanding.
  • Help employees understand why their security discretion is vital to corporate health.
  • Create a targeted training program that addresses the most risky employees and/or prevalent behaviors first.
  • Empower employees to recognize potential threats and independently make correct security decisions.
  • Improve knowledge retention with short interactive training sessions that work easily into employees' busy schedules and feature proven effective learning science principles.
  • Monitor employee completion of assignments and deliver automatic reminders about training deadlines.
  • Show measurable knowledge improvement over time with easy-to-read reports for executive management.

Companies should promote a people-centric security culture that provides ongoing training to consistently inform employees about the latest security threats. Fighting attacks against the human mind requires behavioral changes more than technology defenses.

Companies should use a combined approach of simulated social engineering attacks coupled with interactive training modules to deliver the best result. Incorporating continuous training methodology can be the difference between a five-alarm data breach and a quiet night at the office.

Read the Full Article on Digital Guardian