People have been hacking devices forever. But humans have been hacking each other for even longer. From phone phreaking to ransomware, most technical exploitations are quickly discovered and interdicted. Your employees might be your company’s greatest strength, but they are also your network’s greatest vulnerability. What is Social Engineering? The perpetrator of a social engineering scam is an expert in human nature, using it to coax a target into revealing sensitive information. They might accomplish this through promises of friendship or romance or by misrepresenting themselves as someone with legitimate access to the information in question. That information could be anything from network protocols to your employees’ personally identifying information (PII) and, of course, passwords. As technical network security has become more robust, many of the latest hacks rely on at least one element of social engineering, which has long been a feature of telemarketing scams, especially those targeting the elderly. Employees may provide information to someone who successfully misrepresents themselves as a senior manager or IT department employee, a practice known as blagging. And not just companies are vulnerable to this kind of attack– so are the most secret government institutions, as demonstrated by the blagging-enabled hacking of a British intelligence officer’s laptop in 2012. The Facts and Figures One popular statistic floating around the Internet is that social engineering is responsible for 98% of cyberattacks. I wasn’t able to independently verify this “fact,” but anecdotally, social engineering is responsible for enabling an outsized number of attacks. It’s also one of the network protection techniques that employees receive the least amount of training on. In fact, Bitdefender, a network security company, found that the majority of employees receive no social engineering awareness training, which undoubtedly contributes to the continued prevalence of network penetrations. Why Social Engineering Works Social engineering works because we are victims of our own desires to be liked, respected and viewed as competent. Playing on these aspects of human nature enables a scammer to engineer risky behavior even when a network member knows they are doing something wrong. Added to that, we, as humans, consistently overestimate our ability to spot liars. The actual chance of us being able to correctly deduce if someone is lying is only about 50%-- the same probability that a flipped coin will land heads or tails, according to the American Psychological Association. What Should Companies Do? Network owners must prioritize including social engineering awareness in network security programs. That training should be conducted at least monthly, according to Defendify, which provides such training. When hiring network security trainers, companies should seek those that include regular social engineering awareness in their programs. For companies that develop their own training, social engineering should represent a key pillar with ongoing refreshers to reinforce the importance of not falling victim to social engineering techniques. People have been hacking devices forever. But humans have been hacking each other for even longer. People have been hacking devices forever. But humans have been hacking each other for even longer. From phone phreaking to ransomware, most technical exploitations are quickly discovered and interdicted. phreaking phreaking Your employees might be your company’s greatest strength, but they are also your network’s greatest vulnerability. What is Social Engineering? The perpetrator of a social engineering scam is an expert in human nature, using it to coax a target into revealing sensitive information. They might accomplish this through promises of friendship or romance or by misrepresenting themselves as someone with legitimate access to the information in question. That information could be anything from network protocols to your employees’ personally identifying information (PII) and, of course, passwords. As technical network security has become more robust, many of the latest hacks rely on at least one element of social engineering, which has long been a feature of telemarketing scams, especially those targeting the elderly . targeting the elderly targeting the elderly Employees may provide information to someone who successfully misrepresents themselves as a senior manager or IT department employee, a practice known as blagging . And not just companies are vulnerable to this kind of attack– so are the most secret government institutions, as demonstrated by the blagging-enabled hacking of a British intelligence officer’s laptop in 2012. blagging blagging British intelligence officer’s laptop British intelligence officer’s laptop The Facts and Figures One popular statistic floating around the Internet is that social engineering is responsible for 98% of cyberattacks . I wasn’t able to independently verify this “fact,” but anecdotally, social engineering is responsible for enabling an outsized number of attacks. 98% of cyberattacks 98% of cyberattacks It’s also one of the network protection techniques that employees receive the least amount of training on. In fact, Bitdefender, a network security company, found that the majority of employees receive no social engineering awareness training, which undoubtedly contributes to the continued prevalence of network penetrations. least no social engineering awareness no social engineering awareness Why Social Engineering Works Social engineering works because we are victims of our own desires to be liked, respected and viewed as competent. Playing on these aspects of human nature enables a scammer to engineer risky behavior even when a network member knows they are doing something wrong. Added to that, we, as humans, consistently overestimate our ability to spot liars. The actual chance of us being able to correctly deduce if someone is lying is only about 50%-- the same probability that a flipped coin will land heads or tails, according to the American Psychological Association . according to the American Psychological Association according to the American Psychological Association What Should Companies Do? Network owners must prioritize including social engineering awareness in network security programs. That training should be conducted at least monthly, according to Defendify, which provides such training. When hiring network security trainers, companies should seek those that include regular social engineering awareness in their programs. For companies that develop their own training, social engineering should represent a key pillar with ongoing refreshers to reinforce the importance of not falling victim to social engineering techniques.

This story contains new, firsthand information uncovered by the writer.

You Can Hack People, Too: The Art of Social Engineering

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

3 Security Mindsets for Engineers, Consultants and Architects

3 Steps You Might Not Have Thought of to Ensure Your Software Supply Chain Security

3 Ways CFOs can Prevent Phishing Attacks

4 Data Protection Tips for Remote Teams

4 Reasons for Cyber Intelligence Failure

5 Cybersecurity Mistakes You Probably Make Every Day (and How to Fix Them)

3 Security Mindsets for Engineers, Consultants and Architects

3 Steps You Might Not Have Thought of to Ensure Your Software Supply Chain Security

3 Ways CFOs can Prevent Phishing Attacks

4 Data Protection Tips for Remote Teams

4 Reasons for Cyber Intelligence Failure

5 Cybersecurity Mistakes You Probably Make Every Day (and How to Fix Them)

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps