The social layer of data protection isn’t enough

Visit BSI's Experts Corner: Home for insights from BSI’s practice directors and industry experts on digital trust, environmental, health, safety, security, and sustainability.

May 18, 2023 - An organization's biggest strength is its people, but they are also its greatest weakness. People are fallible, make mistakes, give too much away, and get caught off guard. If we’re not aware of the warnings, it can be easy for us to fall victim to a social engineering attack.

Social engineering refers to the psychological manipulation techniques used by an attacker to deceive, manipulate, or impersonate employees into divulging sensitive information or performing actions that may compromise security. Social engineering includes phishing (email), smishing (SMS), and vishing (voice) and, according to Proofpoint, is responsible for 98 percent of cyberattacks within organizations.

These malicious attacks are prevalent in organizations of all sizes and sectors, but as Statista highlights, some sectors are more vulnerable than others. The finance sector saw the most phishing attacks during the first quarter of 2022 (23.6 percent), largely due to the volume of personal data held by financial firms and opportunities to target masses of people.

What can you do personally and professionally to make yourself less susceptible to the threat of social engineering?

Create a culture of compliance

Driving, building, and maintaining a positive compliance culture can help change attitudes of employees and inspire confidence. Among the steps to take to achieve this are:

  • Training: Developing a mandatory training program to teach employees the policies, procedures, mission, and values of an organization. Incorporating social-engineering-specific training such as phishing simulations will give employees true-to-life exposure to an attack, so they learn what to look out for.
  • Policies and procedures: Clarity on company policies and procedures not only keeps a company in check with their mission and values but gives employees a sense of belonging and purpose.
  • Regular communication from leadership: To encourage open and honest dialogue between management and employees. Security teams need to act quickly in the event of a social engineering attack; therefore, employees who speak up confidently and quickly rather than shy away for fear of punishment are key to stopping the spread of repercussions.

What is appropriate for an organization will depend on the stakeholders, its risk appetite, and what confidential information and personal data could be compromised by a successful attack. It can also be hampered rather than helped by policies or procedures that are not fit for the purpose or not well understood or well communicated. At best they will be ignored and at worst actively exploited.

Build your defenses

The UK National Cyber Security Centre (NCSC) last year claimed that organizations telling their users to avoid clicking bad links still isn’t working. What can we do to better build our defenses against social engineering attacks?

  • Trust: It only takes one individual to fall for a credential-harvesting phishing email for an attacker to access a network. Organizations must ensure that people feel trusted and supported when targeted by social engineering. As the NCSC states, “the stigma of clicking can prevent people reporting it, which then delays the incident response.”
  • Educate: Social engineering is increasingly undertaken by professional criminal organizations and state actors. While there might be some ”giveaways” when it comes to phishing emails, these malicious actors are methodical, thorough, and determined. Anyone could fail to spot a phishing email tailored specifically to them, which is known as a spear-phishing. Educating your supply chain, front of house, and office-based staff is critical. We also can’t forget the risks for remote workers. How are they keeping hold of devices and securely disposing of confidential waste? Are they reporting lost or stolen devices immediately?
  • Control: Organizations cannot rely on people alone to protect their network. Technical controls such as anti-virus software and firewalls should be put in place to limit the attack surface and the potential privacy damages.

It is important to remember that social engineering and phishing attacks are the start of the process for a malicious actor; get someone to hand over their keys, and malware and ransomware follows.

Take back power

We can all play our part in reducing our personal and professional attack surfaces by considering our online and social media footprints and those of our friends and family. Here are some key steps to consider:

  • Be aware of the online and physical environments in which you openly disclose confidential and personal information.
  • Reduce the amount of information you share online.
  • If you must share online, check your privacy settings.

Malicious actors are sophisticated and will use anything and everything about us to find a way in. We are fallible, and we all have weaknesses in our defenses, interests, passions, and chinks in our personal armor that could be exploited. If we knowingly publish these details publicly on the internet, social media profiles, online forums, or review sites, we make ourselves an easy target. With the best of intentions, with vigilance and diligence, the threat remains wherever it comes from. It’s a case of when, not if.

Read more on how to recover from a data breach in Using data discovery to restore trust in the aftermath of a breach. For more insights on other digital trust, privacy, information security, and environmental, health, and safety topics that should be at the top of your organization's list, visit BSI's Experts Corner.