Social Engineering – gaining unauthorized information by deception, including fraudulent activities meant to gain access to computer systems that are protected by passwords, user IDs, etc.
Social Engineering is one of the most overlooked vulnerabilities for security breaches since it relies mostly on human interaction rather than technical/cyber methods and code. Many victims of social engineering do not even realize that they have been duped until it is too late. Many of them do not even share the breach out of embarrassment.
How can I protect my organization from Social Engineers at work?
We have put a list together of the top 10 ways to avoid Social Engineering in your organization. We would like to say from the beginning that these are in no particular order as they are all imperative to the deterrence of the human aspects of Social Engineering.
10. Heighten Security Awareness – Regularly speak with your staff about the security of the data that they handle daily. Also make clear to them policies and procedures that apply to the handling of that data. In some cases you may even want to discuss the consequences for negligence of the data handling.
9. Practice Proper Password Maintenance – Passwords are usually the first thing that people think of as an obvious vulnerability point. Passwords should never be shared (common sense) but they should also be changed regularly and sporadically.
8. Escort Guests in Areas of Sensitive Nature – Whenever there is someone visiting or touring the facility, be sure that they are escorted and handled accordingly. If there is a sensitive topic being discussed, do not speak about it while the guest is there. If there are sensitive files on computer screens or printed material, cover them and shut them down to the lock screen. If this seems like too much work when someone comes through on a tour, then do not take them to that area during the tour.
7. Auto Responders, Vacation Settings and Out of Office Replies – These are a commonly overlooked area of social engineering. If someone knows that you are out of the office for a set amount of time then they could leverage that information in a number of ways. They could act as if you were engaged in a dialogue and imply that something sensitive was promised. There are a host of scenarios that could play themselves out with these. If you are going to have an out-of-office reply then make it as vague as possible so as to avoid having any personal information divulged while you are away.
6. Be Aware of Workstation Security – When employees are in the workplace they tend to think that the data on the screen of their computer is safe around other employees, and don’t think about visitors looking over their shoulder. Best practice states that you should lock your computer screen even when you think you do not need to. Defending against social engineering (and improper disclosure of sensitive information) in this manner will be most effective. This is the most common of all social engineering breaches but it is also one of the easiest to solve.
5. Limit Information Disclosed Via Telephone – In today’s technologically advanced world people still use the telephone as a business tool, and there is still no simple or feasible security measure(s) to confirm identity. All a social engineer needs to do is present themselves as someone of some level of authority to gain access to sensitive data.
4. Use “Best Practices” for Email Usage – Almost everyone has gotten a nasty email that shows up in their In Box that led to something bad happening to their personal PC. In the workplace with access to a multitude of business-sensitive information you won’t be losing pictures of “Aunt Agnes”, but rather personal and/or health and financial information that can be used for gain by the social engineers. Your organization should have an email usage policy in place and constantly have appropriate security measures in place to handle phishing and malware scams.
3. Create a Central Point for Reporting – In a perfect world every employee would police the workplace for suspicious behavior but this becomes hard to do and is not feasible when individuals are focused on the demands of work related tasks. Make it easy for your employees to report something suspicious by creating a central reporting point such as a Supervisor, an intranet-based alert system or a small list of employees that can be contacted. Also be sure to have regular employee awareness training or keep information posted about what to look for and where to go or how to report it.
2. Physical Security Monitoring – Many companies deploy security cameras. Other companies set up a badge access system. Some do both. The bottom line is anything you can do to monitor the traffic of people who work around or with your organization’s sensitive information the safer you are. Be sure that your organization can keep a current record and running tally of who is around the sensitive information and when.
1. Question People You Don’t Know – In larger organizations it becomes increasingly harder to really “know” all of your co-workers. It becomes more important in these cases to really talk and question people you do not know or have not seen before. Each employee should be empowered to practice this. If done professionally, it will create greater morale for your employees and they will know more employees within the organization creating a host of operational benefits.
Each of these tips will help your organization protect its sensitive information from social engineers within or outside of your business. Security Awareness Training is the best way to combat social engineering in the workplace. If your company would like to learn more about this training, please CONTACT US today to speak with one of our Security Experts.
