The Human Vulnerability: Social Engineering Education For Businesses

There is a human element to cybersecurity vulnerability in business.  These threats may not come from sophisticated malware or technical vulnerabilities, but from exploiting the psychology and behavior of employees while on their devices by using clever social engineering tactics.

CyberPrivacy Brief:

  • Vishing is a social engineering technique done over the phone or impersonation on site that could trick targets into revealing information to penetrate a network.
  • It is similar to phishing email-based attacks and smishing text-based attacks.

“Malicious social engineers aren’t necessarily very technical people but they’re crafty and clever in the way they think,” says Michele Fincher, COO of Social Engineer, a consulting firm that offers and training in social engineering.

Social engineering generally isn’t about technical-know how.  “It’s about what connects you to others, what makes you curious and angry and what might make you act without thinking,” she explains.

  • Phishing accounts for 77% of all socially based attacks; targeted businesses lost $43,000 per account,  according to Social Engineer.
  • Impersonation-based attacks resulted in individuals losing $4,200 on average.

Accordingly,  businesses should provide employees training and education to counter these attacks, said Rachel Tobac, creative director at the nonprofit Women in Security and Privacy, a group that works to advance women in privacy and security careers. While human error cannot be eliminated in its entirety, she advises businesses to:

  • Train all employees, but especially those most isolated within the company, like interns or those not in direct contact with clients over the phone, as these targets can potentially be the entry point.
  • Develop a solid social media strategy to reduce the risks of open source intelligence revealing information that can be used to authenticate or implement a malicious attack.
  • Train employees on social engineering attacks weekly and if not monthly on what not to answer over to phone through vishing exercises.

“If you can get information from one individual — just one compromised individual — you can figure out how to get onto the network easily, you can figure out what type of badge you would make to recreate to do an onsite pretext, you can figure out how to penetrate their network through their operating system and the machines and workstations that they use. The most malicious thing that you could do is to get that individual to go to a malicious link over the phone,” Tobac continued  

Taking these above steps can “change the game” for businesses to stay more secure, Tobac concludes. 



One Comment Add yours

  1. LaurelsCode says:

    I’m currently learning about social engineering in college, is a fascinating and dangerous thing. This helped me to understand better, Thank you!

    Liked by 1 person

Please leave us a comment

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s