One of our more popular posts last year dealt with the creation of a cybersecurity-conscious work culture. Today, we explore how the culture of your organization can help prevent an increasingly common (and non-technical) tactic used by hackers: social engineering. The cultural aspect is: how acceptable it is to challenge, or push back on, requests within your organization – especially urgent, unexpected, or unusual requests coming from senior leaders. We describe social engineering and its identifying features; what management and employees can do to create/participate in a culture that encourages pushing back; and how this change (when coupled with education and awareness) can help reduce the likelihood of social engineering succeeding and impacting the business.
What is Social Engineering?
Social Engineering is a tactic used by threat actors to manipulate their target into revealing sensitive information (such as username and password). It plays on the fact that people are generally inclined to trust and help one another. Threat actors leveraging this tactic will often attempt to invoke a sense of urgency, an incentive for participating, or the threat of consequences for not participating. One increasingly popular flavour of this tactic is to assume the identity of an internal authority figure like a senior executive, the IT team, or even their direct boss, to deceive the victim into helping ‘them.’ When social engineers impersonate by creating a similar looking email address, it is known as spoofing. Note that this tactic is no longer limited to email – social profiles and phone numbers are susceptible to spoofing as well. And, legitimate emails/phone numbers can also be compromised, such that the message comes from a legitimate source – but the person behind that source isn’t the real owner of it.
What can you do?
There are several things your organization can do to mitigate the risk of social engineering via spoofing, including technical ones to prevent easy access to lookalike domains, and policy-based ones to prevent legitimate accounts from being compromised. Our focus today is on a cultural one, encouraging your people to push back, which is a great failsafe. What we mean by pushing back is not blindly following instructions from an authority figure. There are many diplomatic responses to unusual requests that can reveal or deter the social engineer, such as: “What business outcome does this drive?” or “That’s not in keeping with our policy, can you explain?” For staff members nervous about pushing back, advise them to check with colleagues about a suspicious request.
What does that mean?
A culture that accepts and encourages challenging assumptions means that employees are free from ridicule for having questioned their directives. It also means that opinions on alternative courses of actions, or calling out possible consequences, are heard out. As an advocate for this strategy, you will need to set the expectation with other leaders in the organization that requests that are urgent, unusual, or not made in person may be met with scrutiny, and to be understanding – especially in early stages. Similarly, you’ll want to explain to staff that this doesn’t mean questioning ‘every little thing’ nor that insubordination is acceptable; everybody needs to act professionally.
How does it help?
There are other benefits to pushing back (Forbes discusses innovation as one), and it can easily and quickly dispel the spoof, revealing the attacker to be an imposter. The motivation of the social engineer is to get the victim to act before they’ve had time to question… but if questioning is part of your culture, this can derail their plan. Imagine the reaction of the social engineer when they are met with questions like “Won’t that violate our information security policy?” or “I’ll need to check out that vendor with finance first, will tomorrow be ok?” They are looking for the path of least resistance, and may move on to the next potential victim.
Critics will be quick to call out that a good social engineer will have answers ready for rudimentary objections, and that pushing back (on its own) is insufficient to prevent these attacks. We aren’t saying that this single change makes your organization untouchable. We are merely proposing that technology and policies aren’t the only factors when it comes to social engineering specifically, and cybersecurity in general. Pushing back is just one part of having a resilient culture, where employees are both aware of the threats (digital and otherwise) their business is facing, and educated on behaviours to reduce the impact/likelihood of such threats.
While having the right culture at your business can help limit the efficacy of social engineering attacks, it can’t be the only defense you have in place. Check out our other posts on password policies, and ops role in your incident response plan, to ensure you have a proper incident response plan in place, that is communicated to your employees. Training your staff on what to look for in identifying suspicious emails can help too.
Another great way to ensure your organization is protected when you do fall victim to social engineering or other threats is to sign up for IntelliGO’s Managed Detection and Response Service. We look at outcomes of actions to determine malicious intent, and respond to mitigate the risk of impact on your business. You don’t need to be in a security or an IT role – this is all about risk mitigation, and we’re making the conversation accessible to everybody. Reach out to talk to one of our experts today.