Social engineering is a very common concept when it comes to cybersecurity. It's a technique used to commit scams, especially via emails. By a short definition, social engineering is a method to identify and target people. That is, its focus is to deceive and persuade a target after extensive research and behavior analysis. Most of the time, scams that use social engineering are phishing and spear phishing attacks.
To illustrate what I'm saying, let's go to the numbers. Social engineering is present in 33% of the security incidents reported by Verizon in the 2019 Data Breach Investigations Report (DBIR). Altogether, the company reported 41,000 security incidents in different countries.
According to the FBI, phishing scams have caused losses of more than USD 48 million in 2018. Likewise, the damages involving attacks classified as Business Email Compromise (BEC) and Email Account Compromise (EAC), which are spear phishing types, increased from USD 675 million to USD 1.2 billion. The number has almost doubled. That's an alarming situation.
Given this, we've created a list of things that you can do to improve your company's protection against hacker attacks that employ social engineering.
Protecting against social engineering attacks
1. Be aware of the business’s presence on the internet
Social engineering happens because the internet works as a huge encyclopedia. For example, through search engines, such as Google and Bing, and social networks, such as LinkedIn, Facebook and Twitter, you can learn a lot about companies and their employees. So, because of this, you need to be careful about your company's presence on the internet. Information that might be considered confidential may be available to everyone.
In addition, you also need to understand the assets that your company handles. Your business may be overly concerned with some types of information, leaving out important ones. So two questions to ask yourself are: How do I protect my business information? And how do I protect the customers’ information?
2. Make employees care about cybersecurity
Social engineering attacks are people-centered. It's the so-called human factor. Keeping this in mind, one of the best ways to protect your company against social engineering is to educate your team. It's critical that people working with you know how to identify different types of attacks. For this, you can count on the help of security awareness solutions or invest in creating guidelines with information on the main threats.
Another important point is to define who can access what. The more people have access to information that has nothing to do with the role they play, the worse for the company. This is a very common problem, especially in small and medium businesses (SMBs).
3. Check for patches for your systems and programs
A tip that can be extremely helpful is keeping your systems up to date. A hacker can, for example, start a scam using malicious emails and social engineering. Then, in a second movement, he can use malware to exploit vulnerabilities in your system, software, or program. Therefore, keeping systems up-to-date will help combat these threats.
In addition to the updates, keeping a backup is critical to when the problem becomes almost irreparable.
4. Pay special attention to emails
We say this a lot to clients and partners: email is the main threat vector. And social engineering is directly related to malicious emails. So it's fundamental that companies use anti-spam, anti-malware, and anti-phishing solutions. The goal is to stay protected, free from threats, minimizing the risk of data breaches and unnecessary headaches.
Take the opportunity and talk to your team about suspicious messages and unusual requests, whether via email, phone or in person. Any suspicious request must be viewed with caution, as it may be part of a social engineering attack. In these cases, the best thing to do is to confirm the legitimacy of the request in another way. As they say, it's better to be safe than sorry.