Tackling Social Engineering with Training

By: Absolute Team | 4/26/2012

HP recently wrote about how social engineering attacks ("phishing" attacks) continue to be one of the most successful means of penetrating organizational security.

Phishing attacks that target businesses are more sophisticated than your standard tactics. The deceptive emails won't necessarily solicit your donations for a growing enterprise in Nigeria; instead, they may appear to be legitimate company emails leading to official-looking websites. Since the link leads to a bogus website, any details the employee shares (passwords, confidential information) is then leaked to the phisher. HP shares how some of these attacks will require users to make quick decisions, sometimes under threat: the "you'll be fired" threat is reportedly quite common and very successful.

Larger companies are more at risk to phishers since made-up names and authorizations may not be noticed by individuals.

When your company already has firewalls, intrusion prevention devices and virtual private networks, what else can you do? Here are some suggestions from HP:

  • Further restrict information access controls
  • Create a security response team
  • Encourage employees to be distrustful
  • Verify the effectiveness of your training on an ongoing basis

As you can see, the focus of most of this advice is on training as prevention method. The idea of regularly testing your employees on how to handle requests for information (fake social engineering attacks) is a great way to test your defences.

Financial Services