Social Engineering: Protecting the Human Element of Cybersecurity

Phishing, baiting, whaling, scareware, pretexting and so on, social engineering has a plethora of attack techniques that sound a lot more complex in nature than they actually are. The method behind social engineering is to get the victim or target person/personnel to do all the heavy lifting. How? Well, all those emails, texts, automated phone calls that require your personal information for something you’ve won, you’ve been apparently hacked, you’ve subscribed to something, anything that requires your personal information for something you don’t remember signing up for or doing. These are usually cybercriminals “baiting” people into giving their credentials, and it’s still their most profitable method. In fact it accounted for 85% of breaches in 2021 involving a human element that allowed an attacker into an environment.

What makes Social Engineering so Dangerous

Social Engineering doesn’t require those technical skills we see glorified in movies when a hacker breaches a system, it doesn’t require some fine-tuned software that looks for weaknesses in an environment. All an attacker needs are some sort of contact information of a person (email, social media, phone number, work location), create a fake official looking website address that requires specific credentials of their target, and simply start sending their potential victims’ messages until one takes the bait. It’s a very simple process that has devastating results, because how do you track a compromise or breach when the correct credentials are being used.

Addressing the Human Element

The source of social engineering is always the target or victim, and cybercriminals have gotten very good at convincing the untrained eye that they are a trustworthy source. In a technological driven world, it’s very easy to make something look official, and because we spend a lot of our lives online, we can become complacent as to where we put our credentials when something looks legitimate. At Nclose, as cybersecurity professionals we are naturally aware of the red flags of social engineers. Here are some basic rules a company can use as a starting point to make it difficult for social engineers.

  • Password Protection: People often use easy to remember or familiar passwords for a lot of their logins. Assigning random passwords which are regularly changed, means employee passwords are all unique and no relation to any other passwords they currently use for other credential logins outside of the business.
  • Random Social Engineering Tests: Testing employees by sending out emails with subtle differences as a social engineer would, to gauge how many employees take the bait. This gives an idea of how many employees are susceptible to social engineering so that applicable training can be done to make them more aware of what they need to look for in the future.
  • Triple Checking: When it comes to receiving or sending any form of communication, always checking recipients is something that’s not stressed enough. Making sure you are receiving and sending to and from the correct recipients. Places like LinkedIn make it easy for a social engineer to see who you work with, so they may front with subtle changes as colleagues you work with.
  • Querying: Communication is key, if something seems illegitimate it’s important to query it to the relevant people in your company. For example, if an email or recipient has been flagged for something suspicious, this communication gets sent to the entire company to be aware of or that it’s been blocked. It’s also a good example for employees to see what a phishing attempt looks like.
  • Habitual: When it comes to basic cybersecurity hygiene, it’s something that needs to become habitual. Everyone learns differently, but if something becomes repetitive it eventually becomes second nature or something a person doesn’t forget. If companies are training their employees the basics of cybersecurity hygiene, it’s something that must be regular and repetitive until it becomes a habit.

What we offer

We sell products specifically to help and train employees in your business more extensively, on a regular basis and are designed in way that cybersecurity hygiene becomes second nature to your employees. Aside from training, we offer prevention, protection and mitigation should someone become compromised in your business environment, and we can identify suspicious activity even if someone is using stolen credentials, so we can stop the attack before it becomes devastating to your business.

Need to Mitigate a Cyber Risk?