Subscribe

Mitigating the risks of social engineering

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 26 Nov 2015
Jenny Radcliffe, Social engineer, Jenny Radcliffe Training.
Jenny Radcliffe, Social engineer, Jenny Radcliffe Training.

The threat of technology-based attacks that employ various types of malicious code are well understood, and businesses of all types and sizes have tools and other measures in place to manage this risk to proprietary or sensitive company information.

However, social engineering attacks are far trickier to handle or manage as they rely solely on human vulnerabilities and behaviour. Social engineering is the use of trickery and manipulation to obtain confidential information from employees within an organisation.

It is a non-technical intrusion that depends largely on human interaction and often involves fooling employees into breaking the security procedures in place. Social engineers understand that most people are unaware of the value of data they possess, and can be lackadaisical when it comes to protecting it.

Jenny Radcliffe, social engineer at Jenny Radcliffe Training, will discuss social engineering at the ITWeb Security Summit 2016, to be held from 17 to 19 May at Vodaworld in Midrand. Her presentation, "The Perfect Storm - How culture, coincidences and con artists are still social engineering their way past your security measures (and what you can do about it!)" will delve into some of the issues, and offer advice to businesses on how to mitigate this threat.

Speaking about what businesses can do to better educate their employees about this trick, Radcliffe ways: "Awareness campaigns are essential if businesses are to even begin to protect themselves. People are often genuinely unaware of the scope and extent of potential social engineering attacks, and are therefore extremely vulnerable to them."

She adds that organisations can start by highlighting issues like online secure behaviour, vigilance around entry points of buildings and phishing awareness information, through newsletters, e-mails and internal communication systems. "What is key is to work within the culture that already exists and use methods of communicating that work for your organisation. Don't overcomplicate things and keep repeating the message."

The ITWeb Security Summit 2016

The 11th annual infosec event from ITWeb is the event for IT and security professionals in Africa. Protect your organisation from the within by learning more about human vulnerabilities and prevent further social engineering attacks by registering here.

In terms of tools that are available to fight this scourge, she says there is a suite of tools available from Security 'IQ' tests which assesses awareness and cultural factors within the organisation, to penetration-testing and training workshops under our SEAT (social engineering awareness training) brand.

"However, there is a wealth of information available online for free, including some Webinars I did on the BrightTALK channels, videos and articles. It's really worth sifting through the materials online to find what's might be useful to your particular organisation and getting going. Attackers won't work within your budget constraints, so you may need to do some research to get you started."

According to Radcliffe, there is no quick solution to this issue. "It's the oldest con in the book but the methods and attack vectors are constantly changing, evolving to use the technology and cultural landscape to the attackers' advantage. That said, informing staff of the dangers and removing fear of reporting near misses, suspicious behaviours and successful attacks will really help mitigate your vulnerability. 'Make the attacker's life harder' should be the mantra for your company."

Share