As risk manager you have setup a system that protects your data from outside attackers and you have secured your premises with all the latest advancements. However, there is a threat that can break through all the fences, social engineering.
We covered this topic in a previous post regarding physical security. In our example, a gentleman dressed as a technician was able to penetrate a bank and install a device to steal data. How was he able to do this? He utilized social engineering.
Social engineering in the context of security, is “art” of manipulating people into executing actions or disclosing confidential information. Social engineers will use tactics that tap into the human psyche and emotions of the victim. Using tactics as simple as posing as a co-worker who forgot their access badge or sending malicious links via Facebook to gain access to buildings or data.
A risk manager must address the possibility of a social engineer breaching the system that they worked so hard to implement. As we mentioned in our series on risk management and human resources, human behavior is one of the most challenging risk to address. The question risk managers need to ask themselves is, “How can I educate my colleagues to prevent social engineering attacks?”.
Awareness: With all threats and risk, awareness is the most effective control. Risk managers need to educate colleagues on the presence of social engineering and the tactics used by social engineers. As the saying goes, “knowing is half the battle.” As risk manager it is important to stay up to date on the latest tactics being used. Utilizing tools such Google Alerts, reviewing discussion boards, and talking to others in the field is a great place to start.
Testing: Once you have implemented controls, it is important to test the controls in real life situations. Simple test could include penetration test similar to this one, or sending employees links to see if they are willing to click them, even when it is against company policy. Testing should be conducted often and the results need to be shared with your colleagues. In sharing the results with the team you address the first point in raising awareness.
Story Telling: As social engineering is aimed at human emotions, there is no better way to get your point across than by telling stories. There are countless stories available in regards to social engineering. By telling these stories you can provide examples of how social engineers took advantage of others, who are in similar positions as your colleagues. When people hear stories they feel empathy towards victims, especially when the victim is embarrassed. This will serve as influence to protect your colleagues against the embarrassment of becoming a victim of social engineering.
As we all know, the realm of risk management is dynamic. New threats are introduced as fast as new controls are introduced. By embedding a culture of risk management and awareness to threats that exist within your organization, you will be better protected. Social engineering is just one of these threats.