Phishing may be one of the oldest social engineering techniques, in common use since the 1990s. Yet it’s still the most common attack vector, with more than two in five of incidents involving phishing as the pathway to compromise (pdf).
That’s because its success relies on exploiting something that’s been around far longer than 30+ years. We’re talking about human nature.
In this article we’ll explore how people’s emotions become business vulnerabilities, why social engineering is so effective, and three powerful principles to secure and protect your environment.
‘Attention attackers – here I am’
If you’re a CISO, you’ll know that tackling social engineering isn’t simply a case of deploying new defense systems. Especially when you’re responsible for employees ranging from 250 up to a few thousand.
Maybe a senior executive is featured in an industry publication. Or a new employee has added an ‘I’ve started a new job’ LinkedIn update. Perhaps your corporate website has a ‘meet the team’ page showing all your employees and their roles.
Either way, attackers use these types of signals to identify high-value targets.
Then it’s about deploying multiple methods of deception to gain their trust, so they compromise either their own security or the business’s.
That could mean the target accidentally giving away sensitive login information. They might be tricked into downloading malware that bypasses standard security controls. Anything that can give malicious actors control of systems, access to data, or a way to extort and commit cybercrimes.
There’s no ‘spray and pray’ with thousands of badly worded emails or obviously fake URLs. And no .exe attachments that your email security system can spot and bounce away without even blinking.
Just a load of human-led psychological manipulation.
Emotional over rational: Why social engineering works
Imagine you’ve just started a new job. Ping – an email from the CEO lands in your inbox. Welcoming you to the company.
That’s nice, you think. With warm feelings of pride swirling around inside, you read on. ‘Can you do me a quick favor? I need a payment sent to one of our suppliers today. Otherwise we’ll lose the discount they’ve offered.’
That’s three psychological hooks right there. Each one capable of manipulating people, making them forget rational thought processes and act without thinking:
- Authority (it’s the CEO, I’d better do what they want)
- Urgency (no time to waste, this needs to be done today)
- Fear (panic mode, what if I lose the company money)
It’s only natural that many people (maybe not you, because you’re reading this) might feel under pressure to complete the request. We’re only human after all. Thousands of years of evolution and survival instinct have wired our brains to feel and act on these emotional triggers.
However, for an attacker these human elements are vulnerabilities to be exploited.
Hang on, you might say. Personalization is powerful, but it’s not easily scalable because it takes a lot of manual resources to identify individuals in this way. So there’s only a limited risk from social engineering exploits, right?
Well, no. Threat actors now use large language models (LLMs) to launch large-scale social engineering attacks, and Gartner predicts that by 2027, 17% of total cyberattacks/data leaks will involve generative AI.’
That’s why it’s time to turn human weaknesses into human strengths.
3 defense principles against social engineering
These principles complement each other, giving you an interconnected social engineering security fabric.
Principle 1: Technical defense
Here’s where the human element gets technical support to mitigate against social engineering.
Email filters
Social engineering attacks are more sophisticated, in terms of language and often being sent individually rather than thousands at a time.
This means businesses need advanced spam filters that analyze sender domains and reputations, as well as the content and URLs.
Strong authentication
The rise in remote working and distributed environments means identity has become a key defense. One option is with passwordless authentication, where attempted logins are assessed on contextual criteria including times, locations, and devices.
Policy enforcement
Access policies allow businesses to stay compliant. Policies can be set up for third-party payments, such as dual authorization. Where the same person can’t request and approve a payment.
This 'separation of duties' is essential for Sarbanes-Oxley Act compliance, and is recommended for organizations with compliance requirements as part of SOC 2 and ISO 27001. A similar role-based access control is also a requirement in PCI DSS.
Plus, when deployed correctly, access policies can also offer competitive advantage. Simply by allowing users access to time-sensitive information at the right time, without having to submit a request to the IT helpdesk.
Principle 2: Theoretical training
Educate employees about how to recognize social engineering threats, and they become your first line of defense.
Yes, some people might find authentication a hassle if they have to remember their device or hardware key. Others might be among those who reuse 16 out of 22 account login passwords.
But when employees are trained ‘why’ they’re being asked to do something, they’re more likely to get on board and feel responsibility for the business.
Principle 3: Practical defense
There’s no substitute for experience. But you don’t want employees to have to go through a real socially engineered breach.
Attack simulation is the next best thing. If they are breached, go through the steps that led up to their final act or decision.
That way you can reverse-engineer social engineering, focus on where the person’s emotions took over and affected their decision-making. Over time they build defense reflexes which act as a muscle memory when a real attack takes place.
Social engineering
The cybersecurity skills shortage (nearly 4 million pros) isn’t going away any time soon. Instead it’s about supporting your existing labor force to become the new perimeter.
After all, the value of data in today’s organizations means that breaches are no longer an IT-only problem. They impact every function that uses data – from strategy to operations to governance.
That means equipping the entire business with training and experience across the 3 defense principles.
- Technical: to discover more about the mechanisms you use, from filtering and authenticating, to identity management and verification
- Theoretical: to understand their roles and responsibilities in enabling these mechanisms and safeguarding valuable data, IP, and corporate reputation
- Practical: to experience realistic defense training, evoking memorable emotions to better recognize and repel social engineering attacks
Put these in place, and you can harness human nature in a new way. Turning it from being a potential exploit, into a continuously improving, continuously developing defense.
To discover how these principles can be deployed in your business, book a quick tour.
