Alinity logo

7 Tips for Defending Against Social Engineering Hacks

Viruses. Malware. DDOS attacks and self-replicating worms. There’s a lot of intimidating jargon surrounding Information Technology (IT) security. In the era of cyber crime and identification theft, it’s important to have security measures that can protect sensitive data. But there’s another threat to your information security that isn’t necessarily spyware or computer viruses. It could actually be you and your staff.

Socially Engineered Hacks

We’ve talked about how staff behaviour relates to information security before, but there’s another threat to your information security far more devious. It’s called a socially engineered hack, and it doesn’t rely on complex computer codes. All it takes is a smooth talking operator and a tiny lapse in judgement. In essence, a socially engineered hack targets people, rather than machines. Social hackers get people to give up information which the hacker can use to penetrate deeper into the organization.

Defending Your Organization

Social engineering hacks are devious and difficult to defend against. They prey on our natural inclinations to be helpful, or to react without thinking to stressful situations. But you can take some steps to stay ahead.

  1. Educate yourself.
  2. Determine what information hackers will target.
  3. Pay attention to what people are asking for.
  4. Watch for threats or urgency.
  5. Make it personal for employees.
  6. Create a policy.
  7. Stick to it!

Educate yourself and your staff!

The best defense is being able to recognize a social hack as it happens. Knowing the different types of social engineering hacks goes a long way to helping to defend against them. You have to know what to look for before you can identify a socially-engineered attack.

Determine what’s important to criminals.

Remember, attackers don’t share your organization’s sensibilities about what’s valuable. Or maybe your information valuations are the same, but for different reasons. For example, Continuing Competence information is important for ensuring members are up to date on best practices. However, hackers may use that information to usurp a member’s identity and gain access to even more sensitive information.

Pay attention to what information seekers are asking for.

It’s important to understand what’s sensitive information and what’s not, as well as the pretext being used for a conversation. If the information someone’s asking for doesn’t jive with what you’d expect, take a step back. For example, no reputable company will ever ask for your password. They’ll have an IT department than can legitimately access your account anyways. So if someone’s asking for your email address or password for any reason, there’s a good chance you’re the target of a social hack.

Watch for Pressure or Urgency.

Social engineers know we make mistakes when we’re under pressure, and they use that against us. They fill your head with warnings about dire consequences of inaction, and may even make threats about what could happen if you don’t help. This is particularly difficult for member-facing employees, who need to walk a thin line between being helpful and divulging information people don’t need. Make sure employees understand they won’t be punished for abiding by your policy, even if it causes some inconvenience.

Make it personal.

Employees take information security more seriously when they understand their personal information and identity are at risk also. Criminals don’t respect the boundaries between home and work; if they discover an easy mark, employees could find their personal lives targeted in future hacks. People need to be as scrupulous about security at the office as they are at home. Letting a tailgater follow them through a door at the office is just as bad as letting a stranger follow them through the door at home. Ask employees what they would do if they saw a delivery man hanging around their kitchen. It might help them understand how some social hacks work, and what to do about them.

Write a policy and make sure staff understand it.

Once you and your staff  know the telltale signs of a social hack, as well as what sensitive information hackers may target, it’s time to put that information to work. Formulate a comprehensive information security policy, and make certain everyone who has access to the information understands it.

Stick to it!

Social hackers rely on our innate desire to be helpful and to protect ourselves from harm to gain access to privileged information. That’s why you need to make it clear to users that they have to be strong in the face of distressing situations. It doesn’t matter if you hear a child crying while her mother calls for tech support. That’s exactly the kind of situation that a social hacker will exploit. You might make someone’s day a little more difficult, but yours will be much worse if you accidentally cause a breach. Policies don’t mean anything if they’re not implemented. Reassure employees they can’t go wrong, even in urgent situations, by following procedure.

Socially engineered hacks can be difficult to deal with because they prey on our better instincts. We have a natural tendency to trust to help when we can. Unlike software though, people can’t just download the latest update to patch our systems. Organizations need to be vigilant against social hackers looking to use our better natures against us.

Have any other tips for helping organizations defend against social hacks? Let us know in the comments below.