Following on from our previous post about understanding social engineering and the impact it can have on your organisation, we are going to look at how you can defend against them.
Social engineering is an undeniable and potentially disastrous reality. So, what can organisations do proactively to protect their vulnerable people and keep valuable data out of the hands of scam artists with intent to do harm?
Real-world prevention strategies
What follows is a list of Microsoft-recommended tangible changes that can be made as well as security policies that can be implemented to help. But, for any of this work to be effective, education is absolutely crucial.
To mitigate risk, start with new-employee training and follow through with regular threat assessments, policy updates and company-wide reviews. Also keep communication open and team members well informed.
- Password management – Outline rigorous standards for secure passwords and insist on regular expiration and change. Also ensure careful onsite and remote access authorisation and accountability.
- Two-factor authentication – Use two-factor authentication rather than fixed passwords to authenticate high risk network services like VPNs.
- Antivirus/anti-phishing defences – Layers of the latest antivirus defences at vulnerable locations like mail gateways and end-user desktops aren’t going to solve the problem, but they’re a good place to start.
- Change management – When staff are comfortable and familiar with a well-documented change-management process (rather than reacting off the cuff), they are less vulnerable to an attack that relies on a false sense of urgency.
- Information classification – Ensure that confidential information is clearly called out and handled as such.
- Document destruction – Confidential information should be shredded rather than thrown into the waste or recycled.
- Physical security – Controls such as visitor logs, electronic security devices, escort requirements and background checks are key to a comprehensive security policy.
- Promote an awareness of threats and risky behaviour – Educating employees on the real-world damage done by such theft to other companies is particularly impactful.
- Empower employees to recognise threats and make smart security decisions on their own – Because social engineering tactics change so frequently, fostering a sensitivity to risk and the tools for addressing it immediately and locally is key.
- Embed security awareness deeply in the minds of your team members – ensure that employees at every organisational level feel comfortable with reporting anything suspicious.
Turn your weakness into a strength
No matter how strong your technical security is, your organisation’s people are often the most vulnerable link in the chain. But, with thorough, thoughtful, and regular education, they can also be your biggest asset in your fight against social engineering.
However, this is only possible when every individual in the organisation clearly understands the very real risks, the strategies that can offer protection, and the big-picture goals and limitations of enterprise security