Social engineering attacks

               The  devil  is  as  black  as  he’s  painted.  Social  engineering  is  the  manipulation  of  people,  not
               machines, in order to breach company’s systems and steal confidential data. Today it is one of
               the leading security threats as it is based on the vulnerability of human psychology. Employees
               must  understand  different  kinds  and  tactics  of  social  engineering  and  know  how  to  prevent
               social engineering from putting your business at risk of being hacked. For this purpose, part of
               your training should be aimed at clarification of the danger of phone calls and emails from third-
               parties  pretending  to  be  your  co-worker  with  urgent  problem  that  requires  an  access  to
               confidential  data  and  information.  In  fact,  these  are  attempts  to  gather  as  much  information
               about your business as possible.


               All staff members should be involved
               Even well-educated on cyber security specialists tend to make mistakes so all personnel should
               be  involved  in  constant  training  including  IT  and  IS  professionals,  CEOs  and  CISOs.  Top
               managers  are  especially  vulnerable  because  they  have  high  access  to  all  confidential  data.
               Also, IT staff is key target because of their administrative access to all corporate networks and
               resources.  Cybercriminals  with  the  intention  to  hack  corporate  networks  often  know  who  the
               executives are which means that company management is even more at risk.

               Conduct regular testing and assessments

               Any training needs assessment and analysis so test your staff regularly. You should know their
               level of knowledge and skills in order to see gaps and soft spots. What to include in your tests?
               For example, fake phishing attacks to see how many employees will click on those suspicious
               links  and  consequently  provide  information.  For  those  who  fell  for  the  false  phishing  emails
               conduct additional trainings, create multiple courses and workshops. Moreover, you may also
               see  how  many  employees  will  transmit  confidential  company  data  over  email  if  asked  on  a
               website or service.

               Ongoing nature

               Information  security  training  should  be  ongoing,  regular  and  keep  up  with  the  latest  cyber
               security trends and techniques. Inform your employees about the latest sophisticated security
               threats  and  infiltration  methods  as  they  evolve  daily  and  regularly  hold  live  demos  during
               classes. It may be useful to send emails and bulletins with different security tips and reminders
               as well as technical solutions and advice on how to monitor and mitigate cyber risks and which
               steps to take after a data breach.

               To  draw  the  conclusion,  one  can  say  that  companies  should  constantly  conduct  security
               awareness  training  and  necessarily  include  practical  examples  of  the  most  common  security
               threats  and  vulnerabilities.  Employees  must  have  a  clear  understanding  that  ignorance,
               carelessness  and  unwillingness  to  study  will  invariably  lead  to  constant  data  losses  and
               hackers’ attacks.





                    61   Cyber Defense eMagazine – September 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.