Social-engineering attacks are no longer the amateurish efforts of yesterday.
Sure, your company may still get obvious phishing emails with blurry logos and rampant misspellings, or the blatantly fake "help desk" calls from unknown phone numbers, but more sophisticated attacks are becoming the norm.
Using both high-tech tools and low-tech strategies, today's social-engineering attacks are more convincing, more targeted, and more effective than before. They're also highly prevalent. Almost seven in 10 companies say they've experienced phishing and social engineering.
For this reason, it's important to understand the changing nature of these threats and what you can do to help minimize them.
Know the Threat
Today's phishing emails often look like exact replicas of communications coming from the companies they're imitating. They can even contain personal details of targeted victims, making them even more convincing.
In one incident, bad actors defrauded a U.S. company of nearly $100 million by using an email address that resembled one of the company's vendors. And in the most recent presidential election, hackers used a phishing email that appeared to come from Google to access and release a top campaign manager's emails.
Bad actors can get sensitive data in many other ways. In one case, they manipulated call-center workers to get a customer's banking password.
Another way is to target data that's visually displayed on a laptop or mobile-device screen. For example, a bad actor could pose as a trusted vendor in an office or a business associate in a foreign country and subtly capture data with a smartphone or hidden recording device.
A Three-Tiered Defense
Given the prevalence and advanced nature of social-engineering threats, your privacy and security measures should cascade across three key areas: people, processes, and technology.
Some measures to consider using in each area include:
1. People: Provide ongoing training to educate workers about social-engineering threats, and procedures for preventing or responding to them. Employees who regularly handle sensitive information are more likely to be targeted — including HR, sales, and accounting workers. They should be your company's most knowledgeable workers about threats and procedures — and should be fully engaged to help identity threats.
For example, encourage workers to use the "Report email" or "Report as phishing" icons that can be enabled in Microsoft Outlook. The service provides an easy way for workers to report suspicious messages so IT can take steps to mitigate their impact. IT managers can also monitor the use of the icon to statistically track worker awareness and engagement.
If your company has separate IT and security teams, make sure there is a clear understanding about who is responsible for managing social-engineering threats. Any misunderstanding between these parties can lead to security gaps and a lack of accountability if an attack occurs.
2. Processes: Policies that encourage workers to not click on suspicious links or provide information to outside organizations go without saying. But make sure you also have procedures for workers to give you details about attempted attacks. This can help you investigate suspicious emails, URLs, and phone numbers, and better understand your vulnerabilities.
As you review and refine your policies, always aim for simplicity. Overly complex security protocols can be too much for workers to remember and can fail.
3. Technologies: Security-perimeter controls like antivirus protection and intrusion-detection/intrusion-prevention systems remain vital. Also, use security intelligence tools to understand your security ecosystem and the potential risks you face. And encrypt data to make it unreadable, even if it's stolen.
All laptop and mobile-device screens should be fitted with privacy filters. The filters black out the angled views of screens to help office workers and business travelers safeguard data from onlookers or even cameras.
A strong defense against social-engineering threats requires more than training and educating workers. You and your IT team must be vigilant about emerging threats so that as they evolve, your security and privacy measures evolve with them.
Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info.Dr. Larry Ponemon is the chairman and founder of Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices, and a privacy consultant for 3M. Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information ... View Full Bio