How to protect your organisation against social engineering attacks

  • Not every successful cyber attack is a result of a sophisticated ‘hack’
  • Research suggests almost all cyber attacks involve a form of social engineering, such as a phishing email designed to trick the recipient into clicking on a link containing malware
  • We look at how organisations can protect themselves against social engineering techniques

When cyber crime hits the headlines, as it did during the WannaCry ransomware attacks of 2017, the focus is often on the technical details – such as how the attackers deployed malware, infiltrated their victims’ networks or encrypted their files.

This can make cyber attackers appear more sophisticated than they actually are. The extent to which they rely on human error or ignorance is often underplayed. Indeed, recent analysis from cybersecurity experts, Proofpoint, suggests up to 99% of cyber attacks involve some form of social engineering, designed to exploit human vulnerabilities.

Here, we look at some common examples of social engineering techniques and discuss how organisations in the public and voluntary sectors can protect themselves.

What is social engineering?

It describes the range of techniques that attackers use, online and offline, to trick people into providing valuable information or giving them access to a system or network.

Examples of social engineering techniques include:

  • Phishing – these attacks often involve deceptive emails, designed to trick people into clicking on a link or opening an attachment containing malware that could infect their computer
  • Spear-phishing – these are more personalised phishing messages, designed to convince the recipient that the person messaging them is an authentic contact, e.g. a friend or colleague, who can be trusted
  • Baiting – these techniques aim to pique victims’ curiosity or entice their interest, e.g. by offering free software or music downloads in exchange for login details, or leaving a malware-infected USB device on the reception desk of a target organisation, in the hope that someone will load it on their computer
  • Tailgating – this is when an unauthorised person attempts to access a restricted area of a building, for example by following closely behind an employee who has entered a security code to open a door, or impersonating a delivery driver or maintenance worker

One feature that most social engineering techniques have in common is that they aim to exploit people’s natural inclination to believe that those addressing them, whether in person, over the phone or online, are who they say they are.

Why cyber criminals target the public sector

Public and voluntary sector organisations are an attractive target for cyber criminals, partly because of their high profile, but also because they hold a vast amount of data, much of it personal or sensitive.

Many of the tactics used by cyber criminals to target the public sector involve an element of social engineering. For example, successful ransomware attacks often begin with a phishing email that tricks an employee into clicking on a link containing malware. Once they have gained access to the victim’s machine, the attacker can then encrypt their files and demand a ransom to decrypt them.

Ways to avoid falling victim to social engineering attacks

In order to protect your organisation, it is important to ensure your employees understand what to look out for and what to do if they see something suspicious, for example by providing training on how to spot different social engineering techniques.

We previously published useful guidance on how to spot phishing emails, which are one of the most common forms of social engineering used by cyber criminals.

It is important to have a mechanism to test the effectiveness of your training. For example, running simulated phishing attacks is a useful way to test whether staff have absorbed training about what phishing emails look like. In a phishing simulation, organisations send a group of employees an email containing a deceptive (but harmless) link, to see what proportion click on it. Data from the simulations can also be used to target re-training.

At Zurich, we have been running simulated phishing attacks internally over the last 18 months, and we have seen a marked reduction in click rates.

Because criminals are constantly evolving their tactics, you should ensure any training you provide is regularly reviewed and refreshed.

Developing the right organisational culture

User training and awareness is an important part of an effective cybersecurity programme but it should be supported by appropriate technical and organisational controls.

You should ensure your employees know who to approach if they have concerns about a potential social engineering scam. For example, who to forward suspected phishing emails to, and who they should speak to if they are concerned they may have inadvertently downloaded malware onto their computer. This is also a matter of organisational culture. Staff must feel able to report attacks and potential breaches without fear of punishment.

Speed of response is crucial in order to prevent networks being breached and valuable data being compromised, so it is vital employees know how and where to report breaches, including out of normal office hours. This is a particular challenge as more organisations move towards agile working.

However, cyber criminals may also exploit the state of urgency that follows a cyber attack, for example by threatening to delete encrypted data if a ransom is not paid within a certain time. You should therefore ensure you have robust incident response protocols, communicated clearly throughout your organisation, that include specific guidance for employees on what to do if they are asked for a ransom.

While technological forms of protection, such as firewalls and regularly updated antivirus software, remain vital, your strongest line of defence is a vigilant and knowledgeable workforce.