Don't Let Social Engineers Compromise Your Business Data
Regardless of the type of your business, one fact is certain: Your operation holds a great deal of information about your company, employees, products and customers. Some of this information is both confidential and valuable. If it fell into the wrong hands, it could be devastating to your business—both in terms of monetary damages and loss of trust.
Safeguarding that information requires more than state-of-the-art technology and appropriate policies, although these are critically important. Ultimately, much of the responsibility for protecting your information rests on your employees. If your employees do not follow good data security practices, all of your other precautions could be for naught.
Your employees must be able to spot potential threats to data security and know what to do to combat those threats. While some cyber attacks do leverage technology to hack into your network, a far more likely means of attack is via "social engineering."
Social Engineers Exploit Natural Human Trust
You've seen it dozens of times in the movies—an intruder gains access to an apartment building (or a business) by pretending to have misplaced his (or her) key. That's a classic example of social engineering: using a pretext to trick an unsuspected person. Social engineering can happen face-to-face, as the "lost key" scenario demonstrates, over the phone, or via email.
Employees should be on the lookout for tell-tale signs that a caller may be pulling a scam, such as: reluctance to provide contact information, impatience with the employee's request to verify information before proceeding, seeming to be in a rush to get information, attempts at familiarity by implying they know someone at the business, and requesting confidential information.
Phishing email schemes are an increasingly popular type of social engineering. Phishing schemes use email, often in conjunction with a malicious website, to acquire information. For example, an employee may receive an email that appears to be from a vendor or a bank suggesting that there is a problem with the business account. Phishing emails are becoming increasingly sophisticated and often will mimic an authentic email—the dangerous distinction being buried in the hyperlinks within the message.
Social engineering is often very successful because it plays into human nature. Most of us—including your employees—want to think well of other people and to trust them. What's more, you probably emphasize the importance of helping the customer and instructed your employees to try and resolve problems presented to them.
Three Steps to Thwart Social Engineering Scams
Develop policies that address the human component of data integrity. It's important to have your systems password-protected, and to require strong passwords. It's equally important to have a policy that clearly prohibits an employee from providing any credentials (such as a password or account number) or business systems over the phone. Moreover, only certain employees, with additional training in recognizing social engineering, should be authorized to provide that information.
Having a policy gets the front-line employee off the hook. Remember, misplaced trust combined with a desire to be helpful is a key reason why these attacks succeed.
Train your employees. Training needs to be two-fold.
- First, your employees need to know the specifics of your business's policy: what information they can and can't provide, how to escalate a suspicious request, and the consequences for failure to follow the policy.
- Second, your employees need to be able to recognize a social engineering attack for what it is and know how to deflect one.
The training session should be as lively and as engaging as possible. Use role-playing tailored to your business. Depending upon the size of your business and the amount of sensitive information that you have, you may want to explore working with a company that specializes in this type of training. For example, Wombat Security Technologies offers a range of services including online games to teach employees to recognize phishing emails. (They offer a free demo of the online game to help you evaluate it.)
Reinforce the message. One time training—no matter how engaging and thorough—is not enough. Remind your employees that information security is part of their job description. Have signs or posters that remind employees to keep security top of mind. Make sure to acknowledge employees who spot and deflect a threat, whether via email or telephone.