A risk manager must address the possibility of a social engineer breaching the system that they worked so hard to implement. As we mentioned in our series on risk management and human resources, human behavior is one of the most challenging risk to address. The question risk managers need to ask themselves is, “How can I educate my colleagues to prevent social engineering attacks?”.
How to prevent social engineering
Awareness: With all threats and risk, awareness is the most effective control. Risk managers need to educate colleagues on the presence of social engineering and the tactics used by social engineers. As the saying goes, “knowing is half the battle.” As risk manager it is important to stay up to date on the latest tactics being used. Utilizing tools such Google Alerts, reviewing discussion boards, and talking to others in the field is a great place to start.
Testing: Once you have implemented controls, it is important to test the controls in real life situations. Simple test could include penetration test similar to this one, or sending employees links to see if they are willing to click them, even when it is against company policy. Testing should be conducted often and the results need to be shared with your colleagues. In sharing the results with the team you address the first point in raising awareness.
Story Telling: As social engineering is aimed at human emotions, there is no better way to get your point across than by telling stories. There are countless stories available in regards to social engineering. By telling these stories you can provide examples of how social engineers took advantage of others, who are in similar positions as your colleagues. When people hear stories they feel empathy towards victims, especially when the victim is embarrassed. This will serve as influence to protect your colleagues against the embarrassment of becoming a victim of social engineering.
As we all know, the realm of risk management is dynamic. New threats are introduced as fast as new controls are introduced. By embedding a culture of risk management and awareness to threats that exist within your organization, you will be better protected. Social engineering is just one of these threats.