Combat Social Engineering

Smart criminals know their success hinges on exploiting weakness.

September 1, 2010

Smart criminals know their success hinges on exploiting weakness. That’s why they go after the lowest-hanging fruit.

For social engineers, that weak link typically is an organization’s own staff and procedures, says David Blazier, marketing manager for TraceSecurity, a CUNA Strategic Services strategic alliance provider.

Unlike traditional security threats, social engineering exploits human nature: peoples’ desire to help others, avoid conflict, prevent mistakes, and spare others from getting in trouble, he says.

Seasoned social engineers target low- and mid-level employees such as receptionists, cleaning crews, tellers, and even managers of remote locations.

Blazier advises “reinforcing the chain” by giving staff adequate tools to combat social engineering. These include:

  • Policies and procedures that go beyond obvious threats and address scenarios unique to the organization;
  • Security awareness training that includes role-based training for positions vulnerable to social engineering tactics;
  • Systematic controls, such as a shared vendor/visitor tracking system that accounts for vendors at remote branches; and
  • Frequent reminders (i.e., e-mails and posters) to staff about the organization’s commitment to security.

“The most advanced firewalls, intrusion detection systems, and video surveillance don’t offer much protection against social engineers who use unsuspecting employees to breach security and access sensitive information,” Blazier says. “The best defense is a well-trained, well-equipped staff that understands its role in protecting the organization. It’s up to management to provide staff with the training, guidance, and tools to effectively combat this growing threat.”