Social engineering is not a new way of networking with technical people. It is however one of the oldest and highest threats to computer security. New and more creative methods are constantly being executed. Add to the mix a complacent mind-set along with a lack of education and there is a risk of an IT disaster within a business.
Social engineering can be defined as a non-technical type of intrusion that relies on human interaction and involves tricks and bogus warnings to get people to react before thinking. The main method of operation is email; however unauthorized access to system can be granted using social engineering. Attacks may include a great opportunity for wealth usually involving another country with the goal of separating you from your money.
Then there is the critical “act now” email that requires an immediate action such as logging into to some account. The sender is very kind to include the link in the message which actually leads to their password capture website. You might receive an email from a friend suggesting you “check out this great video”. What you don’t know is that your friend’s email has been unknowingly compromised and about to download malware or a virus to your system. The social engineer may not initially involve your systems. For example a naive employee may allow an unauthorized person posing as service technician access to your data.
So how do you protect your systems? It starts with education and keeping security on the forefront of your employees. Help them understand the latest social engineering techniques. Encourage users to slow down when put into react mode and think about what they are being asked to do. If instructed to “click on this link now”, hover over the link to see where it really leads. If there is any doubt, make a phone call to the requesting organization and verify they’ve sent the email. Encourage the habit to investigate if something doesn’t look right. Inform your employees not to open email from people or a business with whom they are unfamiliar and never download from an unknown source.
Finally, train your employees to understand the importance of protecting your IT Systems. Credentials should always be checked when access is requested, whether a service organization or utility worker. Make no assumptions when dealing with data, the lifeline of your company. And whether it’s personal or business email, remember the old saying, if it looks too good to be true, it probably is.
Ted Saul is a business coach living in Murrieta Ca. He holds a BA and MBA from Regis University and can be reached at ted@tsaul.com .