Regardless of how much you invest in network security to prevent data theft, the most significant threat will always come from your users. The human element leaves your network vulnerable to social engineering attacks. Here are six ways you can protect your company data against social engineering threats.
1. Categorize Your Company’s Most Valuable Assets
Although your company’s proprietary data should rank at the top of the list, you should also consider assets an attacker could find valuable. When considering what assets and information to protect, think beyond the value to the company. Think about which services, intellectual property, and goods or products might be useful to an attacker.
2. Develop a Policy and User Awareness Training
Once you have your assets categorized, a good practice is to develop a security policy to protect them. Security awareness training should follow and enforce the policy. All your employees who use the network must be required to take annual awareness training and sign a user agreement form with requirements from the policy. This will help ensure that your employees follow the policy. The training should equip employees with knowledge about what social engineering is and how they can avoid being responsible for allowing company data and assets into the wrong hands.
3. Personalize Your Security Programs for Your Employees
Many employees may ignore security because they don’t feel a personal sense of accountability. Ensuring that employees understand they are the front lines of defense for a company is critical for preventing social engineering attacks. Employees should understand what applies both at work and at home. Employees should learn to change their habits and be aware of potential social engineering attempts.
4. Consider All Sources Asking for Information
As part of social engineering awareness, employees must consider whether the requestor of information deserves to know. In several cases, people with whom you or your employees talk do not need to know intricate details about your company or its network. Some social engineering attempts play on emotions and can mislead employees to inadvertently release information that can be used to attack a network.
Social engineers prey on overly helpful employees. They leverage employees’ instinct to be helpful to their advantage. While customer-facing employees should always be helpful, they should also understand their limitations.
5. Be Aware of Suspicious Inquiries
Someone asking questions about something they shouldn’t be privy to should set off instant alarms. Your employees must be aware when questions people ask in person or over the phone don’t match the norm. For instance, why would a customer ask about your internal firewall settings or what type of antivirus you use on your networks?
6. Don’t Back Down
If someone is persistent in asking for information from your employees, have them divert their questions to company leadership or their supervisor. Many times, social engineers will back off if their inquiries are elevated. Your employees should know that they will not be faulted for putting up resistance against social engineers. Prepare a script for your employees to read in case they receive a call with questionable inquiries. The script can include a statement about company policy prohibiting the release of the information in question. In addition, you could provide your employees with a checklist or form to complete when they suspect an attempt at social engineering to bring awareness to the company and other employees.