Why companies are exposed to social engineering
Who presents the most dangerous threat inside your business? Most organisations would be surprised to know that overly helpful employees can be far more dangerous than the stereotypical “disgruntled employee”.
While most CTOs and IT managers focus on the technical aspects of information security, highly publicised episodes overseas have shown that social engineering can sidestep the most advanced technological defences. Hardware solutions, with their reassuring rows of blinking lights, can be rendered ineffective once a social engineer has tricked an employee into giving privileged access to the internal network.
Exploring the vulnerability of enterprises to social engineering, an attack that manipulates well-meaning or curious employees into unwittingly abetting the theft of corporate secrets are important when thinking about social engineering.
Three main aspects of social engineering include:
- Relevance – the extent of exposure
- Challenge – making the case
- Protection – testing and procedures
Social engineering is a type of insider threat. Insider threats are typically associated with the disgruntled employee who uses legitimate access to internal systems to steal, delete or manipulate information assets, or to disrupt operational systems dependent on IT such as SCADA control systems.
By comparison, a social engineering attack is carried out by an external assailant who deliberately manipulates an employee’s good intention (i.e. their willingness to assist) or their general curiosity, such as enticing them to click on a link in an email to a malicious website. While social engineering and the disgruntled employee are both insider threats, defending against these respective attacks requires very different approaches.
The consequences of not protecting against social engineering can be disastrous, as breaches at network technology manufacturer Ubiquiti Networks and security vendor RSA have demonstrated. The viability of launching a social engineering attack has risen with the advent of social networking sites with a wealth of personal information that can greatly aid a social engineer.
One of the greatest challenges to enterprises defending against social engineering is coordinating a response from different departments, especially Human Resource Management. The answer to social engineering is not to buy another security appliance or software product. The best protection is ongoing security awareness training and a robust set of security policies that remind all employees of the important role they play in safeguarding their company’s information assets.
Download our PDF to read more
Sense-of-Security-Whitepaper-Social-Engineering-V1.1-01Apr16.pdf (35 downloads)