Social Engineering: Can Organizations Win the Battle?

Social engineering is not only a problem that is not going away – it’s getting more sophisticated. Security leaders are seeing that:

• Traditional phishing emails that have misspelled words and bad grammar continue to be used.

• Spear phishing emails are becoming more difficult to discern from bona fide emails because of the mass amount of personal details that cyber criminals are able to capture from personal and professional social media sites.

• Social engineering attacks are happening on an industry level. For example, the Canadian Anti-Spam legislation is intended to empower users to unsubscribe from email lists. Cyber criminals are using unsubscribe features to inject malware.

Recommendations to combat social engineering attacks include:

• Leverage tools such as NoScript to provide countermeasures against web security exploits.

• Maintain a constant flow of communication to employees and other users. Have security awareness campaigns and security awareness days.

• Make security training and educational messages personal. Capture interest by educating users on how to keep themselves and their family safe from attacks. Follow with messages on how to apply those safety principles within the business environment.

• Use incentives and rewards to encourage employees to report phishing attacks.

• Keep education programs fresh. Vary the messages to reduce the risk that users will tune out educational messages because they hear the same messages all the time.

• Keep the messages timely and relevant to what is occurring in the organization, such as the use of a new social media channel or influx of phishing attacks.