Nobody’s Fool: Combating Social-Engineering Risks

In a 2017 Ponemon study, nearly 70 percent of companies said they've experienced phishing and social engineering.

These threats, while always serious, used to be almost comical in how easily they could be spotted. The “tells” could be obvious, such as poor spelling in phishing emails or unlisted phone numbers in calls that claimed to come from a help desk.

But social engineering tactics have evolved. Their communications are more convincing and sophisticated. And, that can make them more successful in manipulating workers in your company and stealing your sensitive data.

For example, today’s phishing emails often look like exact replicas of those coming from the companies they’re imitating. The emails can even contain personal details of targeted victims, making them even more convincing.

In one incident, bad actors defrauded a U.S. company of nearly $100 million by using an email address that resembled one of the company’s vendors, as Reuters reported. In another case, CSO detailed how a bad actor manipulated call-center workers to get a customer’s banking password.

The more mobile nature of work has also created opportunities for social engineers to target data exposed on laptop or mobile-device screens. For example, a bad actor could pose as a trusted vendor in an office or as a business associate in a foreign country, and then subtly capture data with a smartphone or hidden recording device.

A Three-Tiered Defense

Given the prevalence and advanced nature of social-engineering threats, your privacy and security measures should cascade across three key areas: people, processes and technology.

Some measures to consider using in each area include:

1. People: Provide ongoing training to educate workers about social-engineering threats, and procedures for preventing or responding to them. Employees who regularly handle sensitive information are more likely to be targeted – like HR, sales or accounting workers. They should be your company’s most knowledgeable workers about threats and procedures and should be fully engaged to help identify threats.

For example, encourage workers to use the "Report email" or “Report as Phishing” icons that can be enabled in Microsoft Outlook. The service provides an easy way for workers to report suspicious messages, so IT can take steps to mitigate their impact. IT managers can also monitor the use of the icon to statistically track worker awareness and engagement.

If your company has separate IT and security teams, make sure there is a clear understanding about who is responsible for managing social-engineering threats. Any misunderstanding between these parties can lead to security gaps and a lack of accountability if an attack occurs.

2. Processes: Policies that encourage workers to not click on suspicious links or provide information to outside organizations go without saying. But make sure you also have procedures for workers to give you details about attempted attacks. This can help you investigate suspicious emails, URLs and phone numbers, and better understand your vulnerabilities.

As you review and refine your policies, always aim for simplicity. Overly complex security protocols can be too much for workers to remember and can fail.

3. Technologies: Security-perimeter controls like anti-virus protection and IDS/IPS remain vital. Also, use security intelligence tools to understand your security ecosystem and the potential risks you face. Encrypt data to make it unreadable, even if it’s stolen.

All laptop and mobile-device screens should be fitted with privacy filters. The filters blacken out the angled side views of screens to help office workers and business travelers safeguard data from onlookers or even cameras.

Keep Evolving

A strong defense against social-engineering threats requires more than training and educating workers. You and your IT team must be vigilant about emerging threats so that as they evolve, your security and privacy measures evolve with them.

About the Author:

Dr. Larry Ponemon is the chairman and founder of Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices, and a 3M privacy consultant. 3M compensates him in connection with his participation as a privacy consultant.