So you have everything in place when it comes to network firewalls, corporate antivirus and your building’s security. You’ve invested in the technology. But what about the staff?
Social engineers, or criminals who take advantage of human behaviour to pull off a scam, aren’t worried about your networks security. They will just walk right in and confidently ask someone to help them get inside. And that firewall? It won’t mean much if your users are tricked into clicking on a malicious link they think came from a friend on Facebook.
What is social engineering?
Social engineering is essentially the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.
So let’s take a look at the top 5 vulnerabilities:
1.People want to be helpful. Sometimes the help goes too far and they give away too much information.
2. People are messy. By nature, they leave paper around, copy multiple people on e-mail, and leak data.
3.People like convenience. No one wants to be put out by additional security even though it may benefit the organization.
4. People want to avoid confrontation. It’s difficult for some people to ask others to prove who they are. They don’t want confrontation.
5.People are curious. A great example is an employee who finds a USB drive in the car park. The first thing they do when they get to their desk is plug it in to see what’s on it.
Even though social engineering attacks are some of the most difficult to defend against, there are some precautions that you can put in place to help prevent falling victim:
- Use encryption on every device.
- Use Data Loss Prevention products. Know who has access to your data, when they access it, and what they are accessing.
- Lock down mobile devices, or limit what they can connect to.
- Lock down peripheral devices. There are commercial products that allow security administrators to completely lock down USB ports. This can be difficult since many devices are USB connected today.
- Train staff to be aware of the risks, if an employee does not know what social engineering is then they don’t relise how they can be exploited.