What is social engineering?
With social engineering, someone attempts to gain access to passwords and other sensitive information not through technical savvy, but by using various psychological tricks to gain your confidence and fool you into granting unwarranted privileges or access to protected data.
For example, an individual may pose as a customer service representative for a software company or as IT personnel; they then talk their way into obtaining your data and exposing you to further attacks. Other tactics include impersonating a colleague or potential associate via email or social media. In other situations, they may start out as strangers and then befriend you, gaining enough of your trust to get you to click on a malicious link in an email and download malware to your system. They may also try to find out enough about you to guess your password or your responses to password recovery questions in order to gain access to your accounts.
How can you prevent social engineering scams?
These types of scams often come as a surprise. They exploit people’s ready tendency to extend trust and accept explanations at face value. However, there are ways to reduce your chances of getting taken in by social engineering. The following are five tips:
? Raise awareness among your employees. If employees are aware of the risks and get introduced to the tactics commonly used in social engineering, they’re more likely to remain cautious even when approached by charismatic, confident, and seemingly trustworthy individuals. It’s less likely that they’ll accept information at face value. Offer training programs, and demonstrate to employees how sensible preventive measures can better protect them from scams in their personal lives, not only at work. Stress how important it is to pause and think instead of automatically clicking on links or disclosing sensitive information.
? Devise and enforce a comprehensive security policy. For example, you can institute rules about the kinds of files employees are allowed to download on company devices, and the kinds of information they’re allowed to disclose on social media or in-person (or even just leave out in the open on their desks). Be sure to check up on whether or not they’re taking these policies seriously. Turn lapses into opportunities to once again discuss the consequences of poor security and the importance of caution.
? Adopt layers of protection. You should have in place a series of checks for confirming identity and detecting impostors. For example, if someone shows up at your office claiming to be a computer technician, your employees would check for appropriate identification and call up the company the technician allegedly works for. Another strategy is to share information or suspicions about hacked accounts; for instance, if one of your employees thinks their email account has been compromised, they should notify everyone else.
? Pay especially close attention to new employees. Because new employees are less familiar with your company and the people you employ on the outside, they’re more susceptible to getting tricked.
? Model secure behavior. As a leader within your company, your employees will look to you for examples of safe practices and cautious behavior. If you pick security questions that are easily guessed or get lax about access to your network and servers, your employees won’t take your cyber security initiatives seriously.
Remember that there’s more to cyber security than technological solutions. Even if you use powerful firewalls, complicated passwords and strong encryption, all it takes is placing your trust in the wrong person and your company’s security will get compromised.