Nobody's Fool: Combating Social-Engineering Risks - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership // Security & Risk Strategy
1/7/2019
09:00 AM
Larry Ponemon, Chairman and Founder, Ponemon Institute and 3M Privacy Consultant
Larry Ponemon, Chairman and Founder, Ponemon Institute and 3M Privacy Consultant
Sponsored Article
50%
50%

Nobody’s Fool: Combating Social-Engineering Risks

IT-managed security and privacy measures should span a company's people, processes and technologies.

In a 2017 Ponemon study, nearly 70 percent of companies said they've experienced phishing and social engineering.

These threats, while always serious, used to be almost comical in how easily they could be spotted. The “tells” could be obvious, such as poor spelling in phishing emails or unlisted phone numbers in calls that claimed to come from a help desk.

But social engineering tactics have evolved. Their communications are more convincing and sophisticated. And, that can make them more successful in manipulating workers in your company and stealing your sensitive data.

For example, today’s phishing emails often look like exact replicas of those coming from the companies they’re imitating. The emails can even contain personal details of targeted victims, making them even more convincing.

In one incident, bad actors defrauded a U.S. company of nearly $100 million by using an email address that resembled one of the company’s vendors, as Reuters reported. In another case, CSO detailed how a bad actor manipulated call-center workers to get a customer’s banking password.

The more mobile nature of work has also created opportunities for social engineers to target data exposed on laptop or mobile-device screens. For example, a bad actor could pose as a trusted vendor in an office or as a business associate in a foreign country, and then subtly capture data with a smartphone or hidden recording device.

A Three-Tiered Defense

Given the prevalence and advanced nature of social-engineering threats, your privacy and security measures should cascade across three key areas: people, processes and technology.

Some measures to consider using in each area include:

1. People: Provide ongoing training to educate workers about social-engineering threats, and procedures for preventing or responding to them. Employees who regularly handle sensitive information are more likely to be targeted – like HR, sales or accounting workers. They should be your company’s most knowledgeable workers about threats and procedures and should be fully engaged to help identify threats.

For example, encourage workers to use the "Report email" or “Report as Phishing” icons that can be enabled in Microsoft Outlook. The service provides an easy way for workers to report suspicious messages, so IT can take steps to mitigate their impact. IT managers can also monitor the use of the icon to statistically track worker awareness and engagement.

If your company has separate IT and security teams, make sure there is a clear understanding about who is responsible for managing social-engineering threats. Any misunderstanding between these parties can lead to security gaps and a lack of accountability if an attack occurs.

2. Processes: Policies that encourage workers to not click on suspicious links or provide information to outside organizations go without saying. But make sure you also have procedures for workers to give you details about attempted attacks. This can help you investigate suspicious emails, URLs and phone numbers, and better understand your vulnerabilities.

As you review and refine your policies, always aim for simplicity. Overly complex security protocols can be too much for workers to remember and can fail.

3. Technologies: Security-perimeter controls like anti-virus protection and IDS/IPS remain vital. Also, use security intelligence tools to understand your security ecosystem and the potential risks you face. Encrypt data to make it unreadable, even if it’s stolen.

All laptop and mobile-device screens should be fitted with privacy filters. The filters blacken out the angled side views of screens to help office workers and business travelers safeguard data from onlookers or even cameras.

Keep Evolving

A strong defense against social-engineering threats requires more than training and educating workers. You and your IT team must be vigilant about emerging threats so that as they evolve, your security and privacy measures evolve with them.

About the Author:

Dr. Larry Ponemon is the chairman and founder of Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices, and a 3M privacy consultant. 3M compensates him in connection with his participation as a privacy consultant.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Commentary
Why IT Leaders Should Make Cloud Training a Top Priority
John Edwards, Technology Journalist & Author,  4/14/2021
Slideshows
10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Commentary
Lessons I've Learned From My Career in Technology
Guest Commentary, Guest Commentary,  5/4/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll