You can have top-notch security in place but there is still one danger: social engineering. It’s the old kid on the block, but most of us have never heard of it. Perhaps the more familiar term is ‘con’: the art of manipulating people to take certain actions or divulge private information. Social engineers are a special type of hacker who skip the hassle of writing code and go straight for the weakest link in your security defenses – your employees. A phone call, a cheap disguise or casual email may be all it takes to gain access, despite having solid tech protections in place.
Here are just a few examples of how social engineers work:
Email: Pretending to be a co-worker or customer who ‘just quickly’ needs a certain piece of information. It could be a shipping address, login, contact or personal detail that they pretend they already know, but simply don’t have in front of them. The email may even tell you where to get the data from. The hacker may also create a sense of urgency or indicate fear that they’ll get in trouble without this information. Your employee is naturally inclined to help and quickly sends a reply.
Phone: Posing as IT support, government official or customer, the hacker quickly manipulates your employee into changing a password or giving out information. These attacks are harder to identify and the hacker can be very persuasive, even using background sound effects like a crying baby or call-center noise to trigger empathy or trust.
In person: A delivery man uniform gets past most people without question, as does a repairman. The social engineer can quickly then move into sensitive areas of your business. Once inside, they essentially become invisible, free to install network listening devices, read a Post-it note with a password on it, or tamper with your business in other ways.
It’s impossible to predict when and where (or how) a social engineer will strike. The above attacks aren’t particularly sophisticated, but they are extremely effective. Your staff have been trained to be helpful, but this can also be a weakness.
So what can you do to protect your business?
Recognize that not all of your employees have the same level of interaction with people, the front desk clerk taking calls all day would be at higher risk than the factory worker, for example. We recommend cyber-security training for each level of risk identified, focusing on responding to the types of scenarios they might find themselves in. Social engineering is too dangerous to take lightly, and far too common for comfort.