A hacker who uses social engineering effectively preys on people, not technology. A few common practices include:
These are just a few examples of social engineering, and the core principle is the same across all of these – hackers gain personal, private information about you that you have revealed through your online practices. Social engineering attacks can leave an individual feeling violated as it involves a degree of identity theft. From a business perspective, however, the feeling could be even worse.
Approximately 70% of U.S. respondents to the Balabit survey said that insider threats were the primary area of concern, with just 30% citing outside attackers as their primary problem.1 The idea here is straightforward – outsider threats will tend to stick out when they get into your network, making them easier to identify and deal with. Insiders appear like they should be accessing your various systems, making it much easier to identify precisely when they are participating in illicit activities.
The study pointed out that social engineering actually allows outsiders to function as insider threats because they gain the credentials of your authorized users. This lets those attackers get into your most sensitive data without you being able to notice – at least not easily – because it simply looks like one of your employees did it.
Social engineering is worrying when it comes time to consider the technology side of the equation, but how effective are they at actually getting users to give up their credentials? Many businesses train employees on how to identify phishing scams, how they can avoid risk on social media, and similar strategies that ensure they keep data safe by preventing social engineering, but is that enough? The Verizon 2019 Data Breach Investigation Report found that phishing scams are successful at an astonishing rate. Phishing is involved in 32% of breaches and 78% of cyber-espionage incidents, with 84% of social attacks featuring phishing emails.2
If that isn’t enough to get you worried, it’s worth noting that the previous year’s survey found that only 23% of phishing emails were opened, so people have actually been getting worse at preventing social engineering (though it may be that hackers are getting better. Either way, the message is clear – social engineering is a real threat as phishing alone is a major risk. So what can you do about it?
In many ways, the best way to prevent social engineering from impacting your business is to protect against insider threats. A few solutions make this possible, including:
Training isn’t just essential for your end users. Establishing educational programs for your security and IT teams can give them clear ideas of the emerging technologies and practices that can help them stay ahead of social engineering threats.
Hacking strategies are constantly changing, and social engineering is a primary example of this. New methods for data sharing, social interactions and identity theft are constantly emerging, and security professionals must stay ahead of these developments while also implementing new technologies and training users.
Learning Tree offers a full suite of cyber security training courses, including opportunities to learn the nuances of social engineering and what you can do about it. Effective training can help you stay ahead of the growing social engineering threat. Social Engineering Training: Deceptions and Defenses, course 2012 is a great place to start.