Your security infrastructure alone cannot keep your network safe. Employees are actually the most common cause of security compromise, and generally due to ignorance rather than malice. Social engineering hacks which target employees tend to be incredibly successful and can sidestep even some of the best security technology.
1. Impersonating Technical Support or Maintenance
“Hi, this is Jack from IT. I’m updating employee email accounts, but I need your login information.”
How many employees will respond automatically rather than requesting clearance from their supervisors? Many employees are used to giving tech support or maintenance teams their personal information — including their login information. This is a huge vulnerability. IT should always be able to conduct maintenance tasks on their own, without requesting data, or in-person at the employee’s desk.
2. Phishing and Other Email Techniques
“Your email may have been compromised! Please log in at…”
Emails are frequently sent to employees to bait them into compromising their login information. Once they click on a seemingly legitimate looking link, they will be redirected to the phisher’s website, where their confidential information will be captured. Employees should be well-educated regarding these potential exploits; they should be able to identify fake emails and spoofed links. There are also network security applications that can detect phishing links as they come in.
3. Social Media Confidence Hacking
“Hi there! I just connected with you on LinkedIn! I had a few questions about…”
Now that all employees regularly list their place of work on their social media pages, social engineering exploits have become easy. Social engineers may connect with employees on LinkedIn and falsify their own information, appearing to work under a shared supervisor in the very same company. Once this has been achieved, they can ask real employees for company-specific information with a veil of legitimacy. Employers and IT security teams should be aware of the potential for this type of abuse and should regularly check their own company’s social media pages.
4. In-Person Piggybacking and Access Granting
“Sorry, I forgot my swipe card. Can I get through with you?”
When a social engineer needs access to a physically secured area, they will often simply slide past with someone with the appropriate credentials or make up an excuse as to why they don’t have them. Though this requires a very bold individual, it’s a move that often pays off; many systems are not secured physically as well as they are secured through software-level security.
Proper employee training can drastically reduce the chances of the above exploits being used against your business — but there will always be employees who are a little less than technically savvy. Network traffic and activity monitoring solutions work to identify compromises as they occur, while granular security controls can limit the network attack surface.
Some security software is available to combat phishing and pharming, but the best defense against the full range of social-engineering attacks is a corporatewide culture of security awareness. Like automated network-defense systems that identify and repel new viruses without human interaction, a security-aware culture helps employees easily and routinely identify and repel social-engineering attacks.