Defending Against Social Engineering Attacks

Posted on 20 September 2017

Following on from our previous post about understanding social engineering and the impact it can have on your organisation, we’re looking at how you can defend against them.

Social engineering is an undeniably disastrous threat. So, what can organisations do to be proactive in safeguarding their vulnerable people and keeping valuable data out of the hands of scam artists with intent to do harm?

Preventing Social Engineering

What follows is a list of Microsoft-recommended tangible changes that organisations can make, as well as security policies that can be implemented to help protect against social engineering. For any of this work to be effective, however, education is absolutely crucial.

To mitigate risk, start with new-employee training and follow through with regular threat assessments, policy updates and company-wide reviews. Also, keep communication open and team members well informed.

  • Antivirus/Anti-Phishing Defences: Layers of the latest antivirus defences at vulnerable locations like mail gateways and end-user desktops aren’t likely to solve the problem single-handedly, but they’re a good place to start.
  • Password Management: Outline rigorous standards for secure passwords and insist on regular expiration and change. Also ensure careful onsite and remote access authorisation and accountability.
  • Multi-Factor Authentication: Use multi-factor authentication rather than fixed passwords to authenticate high risk network services like VPNs.
  • Change Management: When staff are comfortable and familiar with a well-documented change-management process (rather than reacting off the cuff), they are less vulnerable to an attack that relies on a false sense of urgency.
  • Information Classification: Ensure that confidential information is clearly labelled and handled as such.
  • Document Destruction: Physical copies of confidential information should be shredded rather than thrown into the waste or recycled.
  • Physical Security: Controls such as visitor logs, electronic security devices, escort requirements and background checks are key to a comprehensive security policy.
  • Promote an Awareness of Threats and Risky Behaviour: Educating employees on the real-world damage done by such theft to other companies is particularly impactful.
  • Empower Employees to Recognise Threats and Make Smart Security Decisions on Their Own: Because social engineering tactics change so frequently, fostering a sensitivity to risk and the tools for addressing it immediately and locally is key.
  • Embed Security Awareness Deeply in the Minds of Your Team Members: ensure that employees at every organisational level feel comfortable with reporting anything suspicious.
  • Run Regular Tests: It’s now possible to stage phishing attacks using different solutions, so make the most of a test run before the real thing happens.

Turn Your Weakness into a Strength

No matter how strong your technical security is, your organisation’s people are often the most vulnerable link in the chain. But with thorough, thoughtful, and regular education, they can also be your biggest asset in your fight against social engineering.

This becomes possible when every individual in the organisation clearly understands the very real risks, the strategies that can offer protection, and the big-picture goals and limitations of enterprise security – the above is a great place to start.

Want to find out more? Get in touch with our team – they’re always happy to help.

A few people we've already done it for
X