What is Social Engineering?
A hacker who uses social engineering effectively preys on people, not technology. A few common practices include:
- Researching targets on social media to get personal data such as birthdays, addresses, and historical information that may be used to answer security questions.
- Calling customer service representatives for service providers an individual works with and using those researched personal details to reset passwords or otherwise take over an account.
- Impersonating a service provider - a bank, cloud vendor, ecommerce store, etc. - and sending an email with links that, when clicked on, will initiate malware downloads.
These are just a few examples of social engineering, and the core principle is the same across all of these - hackers gain personal, private information about you that you have revealed through your online practices. Social engineering attacks can leave an individual feeling violated as it involves a degree of identity theft. From a business perspective, however, the feeling could be even worse.
Considering the Entirety of the Social Engineering Threat
Approximately 70% of U.S. respondents to the Balabit survey said that insider threats were the primary area of concern, with just 30% citing outside attackers as their primary problem.1 The idea here is straightforward - outsider threats will tend to stick out when they get into your network, making them easier to identify and deal with. Insiders appear like they should be accessing your various systems, making it much easier to identify precisely when they are participating in illicit activities.
The study pointed out that social engineering actually allows outsiders to function as insider threats because they gain the credentials of your authorized users. This lets those attackers get into your most sensitive data without you being able to notice - at least not easily - because it simply looks like one of your employees did it.
Understanding the Effectiveness of Social Engineering
Social engineering is worrying when it comes time to consider the technology side of the equation, but how effective are they at actually getting users to give up their credentials? Many businesses train employees on how to identify phishing scams, how they can avoid risk on social media, and similar strategies that ensure they keep data safe by preventing social engineering, but is that enough? The Verizon 2019 Data Breach Investigation Report found that phishing scams are successful at an astonishing rate. Phishing is involved in 32% of breaches and 78% of cyber-espionage incidents, with 84% of social attacks featuring phishing emails.2
If that isn't enough to get you worried, it's worth noting that the previous year's survey found that only 23% of phishing emails were opened, so people have actually been getting worse at preventing social engineering (though it may be that hackers are getting better. Either way, the message is clear - social engineering is a real threat as phishing alone is a major risk. So what can you do about it?
Preventing Social Engineering
In many ways, the best way to prevent social engineering from impacting your business is to protect against insider threats. A few solutions make this possible, including:
- Network monitoring - Monitoring your network gives you complete visibility into activities within your systems. This creates a sense of transparency that can be invaluable because it lets you quickly identify suspicious behaviors.
- Behavior tracking - Solutions that track user activity on a day-to-day basis - often through network monitoring - can use analytics to anticipate normal behaviors for your various users. From there, the system can be set to alert IT security professionals when a user begins to behave strangely, allowing them to check on the issue and make sure the activity is authorized and not the result of social engineering.
- Training - Training your staff isn't a cure-all, but taking the time to inform your staff on how they can avoid falling prey is important. The key is to train consistently and not expect rare, one-time events to keep your workers informed.
Training isn't just essential for your end users. Establishing educational programs for your security and IT teams can give them clear ideas of the emerging technologies and practices that can help them stay ahead of social engineering threats.
Hacking strategies are constantly changing, and social engineering is a primary example of this. New methods for data sharing, social interactions and identity theft are constantly emerging, and security professionals must stay ahead of these developments while also implementing new technologies and training users.
Learning Tree offers a full suite of cyber security training courses, including opportunities to learn the nuances of social engineering and what you can do about it. Effective training can help you stay ahead of the growing social engineering threat. Social Engineering Training: Deceptions and Defenses, course 2012 is a great place to start.