When we mention cybersecurity, our attention often goes to hackers who exploit vulnerabilities. We often narrow our thoughts to vulnerabilities in data networks. But there is another route into organizational networks that most people miss. This involves taking advantage of human weaknesses, called social engineering.
In social engineering, the attacker tricks a person to divulge information or give access to sensitive areas. Just like in some movies, an attacker can pose as an IT helpdesk staff. He then goes around making users give him usernames and passwords. He could even hold an ID card. It is surprising how many people do not question the authority of such people before giving away sensitive information.
Cybercriminals use the information for online fraud, blackmail, or identity theft on the net. Social engineering is people’s interpersonal influence to build rapport and trust in a person. The aim is to gain access to sensitive information. Passive social engineering doesn’t even need the interpersonal component in the form of conversations, calls, and direct messages. Cybercriminals and perpetrators operate even more subtly. An inconspicuous look over the shoulder, an inspection of the documents in the bin, or leaving a prepared USB stick behind.
The best technical solutions reach their limits when attackers can exploit the insecurity and ignorance of teams and employees. No security concept is complete if the human vulnerability is not also taken into account. Security awareness training helps companies close this vulnerability and sensitize the workforce to potential threats. Employees should learn to recognize suspicious e-mail attachments and manipulated websites and act accordingly. They should also know how to protect themselves from passive social engineering in their everyday work.
Pay attention to your surroundings
Many companies give their employees the freedom to work from anywhere – this can be in the home office, but also in a café, train, or plane. Oftentimes, public places are more vulnerable to attack. For instance, using public Wi-Fi for sensitive office work is risky. Is someone nearby? Can unauthorized persons view your own screen or work documents?
Also, documents and devices should never be left unattended – not even for a few seconds, for example, to get a new drink in a café. A few moments are enough for criminals to photograph information or gain access to data with a few clicks. Privacy filters are flat plastic discs that restrict the viewing angle. They are placed in front of the screen and can thus protect data from prying, and unauthorized views.
These steps will not prevent your account from being compromised if a service provider is socially engineered and gives your account details to the attacker. But they could at least cut the possible damage and also give you more peace since you will be doing everything you can to protect yourself.
Dispose of storage media and documents correctly
Storage media, from hard drives to USB sticks, must be professionally erased to ensure data does not fall into the wrong hands. With paper-based documents, professional destruction is essential – even in the home office! This ensures that criminals do not stumble upon real data treasures when rummaging through the paper bins, which open the door to systems, databases, and more. All devices – from laptops to tablets to smartphones – should be adequately protected and kept physically safe when not in use. The car or a checked-in suitcase is not such safe places.
Protect device access
All devices should be secured with a password or biometric factors. Sensitive systems must also be additionally protected using multi-factor authentication. Use credit cards wisely. If you use a debit card and a hacker gains access to the number, they could totally wipe out your bank account. You can further protect your credit card by not storing card numbers on websites, or by using virtual or disposable numbers (such as those offered by Citibank, Bank of America, and Discover).
Be aware of any questions that don’t fit the pretext. When asked for information, consider whether the person you are speaking with is worthy of the information they are asking for. As an organization, it is good practice to give security awareness training to sensitize employees to threats and security incidents so that they can recognize them and take appropriate action.
Enable remote location and erasure
To prevent data from falling into the wrong hands in the event of theft, the “Remote location and deletion” function should be activated on the devices.
Keep your hands off third-party storage media and cables
A USB stick lying around in a public space that doesn’t belong to anyone? Suspicious! It may have been deliberately prepared with malware by cybercriminals and left behind for unsuspecting people to find and damage their own devices and systems. Therefore, the following applies: Never connect third-party devices, storage media, or cables to the laptop.
Protect all types of data from social engineering
Cybercriminals obtain information in a variety of ways to gain access to devices, systems, applications, or user accounts. Therefore, it is important to protect all types of data – paper-based documents, computers, mobile devices, and other data carriers.
The most important thing you can do to avoid falling victim to social engineering attacks is to adopt a healthy skepticism and to always remain as vigilant as possible. Real IT departments and other services will never ask you for your password or sensitive information over the phone. And finally, always remember how to avoid social engineering attacks.