There are many ways to compromise a corporate network and steal information. But, in the end, the most popular and successful tactic is social engineering. While the NSA/Edward Snowden incident is probably the most famous example of social engineering, the truth is that no business is insusceptible to a social engineering attack.
Here are a few facts about social engineering cyber-attacks.
- 62% of businesses have experienced a social engineering attack. (Source)
- 63% of data breaches come from internal sources.
- 65% of professionals identified phishing and social engineering as the biggest security threat to their organization. (Source)
What makes these types of attacks even more alarming for IT professionals? The human factor, as social engineering is hard to prevent. Because many of these attacks target people, not computers , it makes it incredibly difficult for IT departments to prevent.
3 Common Social Engineering Attacks to Watch Out For
While social engineering attacks come in many different forms and can be performed anywhere where human interaction is involved, here are three of the most common tactics we see:
- Phishing and Spear Phishing. The most common social engineering attacks we see are phishing emails. In spear phishing, the attacker targets very specific employees with a message that seems more personal and genuine. When the employee responds or interacts with the email, it allows the attacker to hack into the computer or install malware.
- Pretexting. Pretexting involves creating a fake persona or using one’s role in an improper way to secure sensitive information. Because the human interaction seems more trustworthy, all sorts of data can be gathered using this tactic.
- Baiting/Scareware. As its name implies, baiting attacks use a false promise to pique a victim’s curiosity that lures them into a trap that steals their personal information or inflicts their systems with malware. Scareware often deceives users to think their system is infected with malware, prompting them to install software that has no real benefit (other than for the perpetrator) or is malware itself.
Protecting Your Organization Requires People, Processes, and Technology
While several technical solutions are available to prevent social engineering attacks, the weakest link is often the human.
At LBMC Information Security, our team has identified three key areas to help organizations take a holistic approach to protecting against social engineering attacks by addressing people, process, and technology.
- People—Protecting your organization against social engineering attacks requires rigorous training, education, and testing. This means developing and establishing a targeted security awareness program centered on social engineering.
- Process—In addition to educating employees, it’s important for organizations to identify your critical data and establish handling guidelines or policies for protecting it.
- Technology—It’s essential that technology be implemented to reduce the risk of a social engineering attack. Testing should be conducted to validate those controls.
Because each of these areas encompasses many different dependencies, creating a comprehensive plan for preventing social engineering attacks can be overwhelming. However, there is a way for organizations to regularly test these areas to proactively prevent an attack.
Penetration Testing: How to Proactively Protect Against Social Engineering Attacks
Penetration testing has become a vital way for organizations to ensure they are completely protected against a social engineering attack. These comprehensive tests are custom-designed for your organization and allow you to identify and determine risks with your people, processes, and technology by simulating how a social engineering attack would target your organization.
From sending fake phishing emails with spoofed sites to posing as callers who try to secure sensitive information to dropping a USB drive in the office, penetration testing uses a variety of techniques to gauge your company’s susceptibility to these common social engineering attacks.
If you’re looking for a way to enhance your ability to prevent social engineering attacks, we’d love to discuss specific ways we can help.