The evidence is clear – there is nothing most people and organizations can do to vastly lower cybersecurity risk than to mitigate social engineering attacks. Social engineering is involved in 70%-90% of all successful attacks. No other root cause of initial breach comes close (unpatched software is involved in 20% to 40% of attacks and everything else is in the single digits).
Every person and organization should create their best possible defense-in-depth plan to fight social engineering. It needs to be a combination of policies, technical defenses and education.
Those policies, technical defenses and education should focus on preventing hackers and malware from compromising the environment, followed by early warning detection if something malicious gets past your preventative controls, and lowest cost, quick recovery if something malicious is detected. This “3x3” controls model should be applied to fighting social engineering attacks.
The rest of this post is quickly summarizing the policies, technical controls, education and other tips and tricks you should consider to mitigate the threat of social engineering.
Policies
Policies are the official organizational rules or procedures everyone should follow for a particular situation. Although they are also educational in nature, they also direct the tools and processes in support of the policies. Here are the policies every organization should have to mitigate social engineering:
Acceptable Use Policy
Every organization should have an Acceptable Use Policy (AUP) created to cover the allowed and supported procedures and actions of every employee and contractor with access to the corporate environment and confidential data reviews and signs when hired, and then annually thereafter. It is a broad ranging policy covering physical, technical and human practices to support the organization’s IT security policy. As examples, related policies might include:
- Lock your desktop screen when not in direct control of your device
- Do not use the same password at work as you do anywhere else
- Do not give out your password to anyone requesting it, including anyone claiming to be from IT or through email
- Do not leave corporate equipment or confidential documents unmonitored anywhere, including on your desktop or in a locked vehicle
IT Security Policy
This document includes all required IT security controls and processes the company follows to best ensure IT cybersecurity. IT Security Policy may involve policies, but also can include specific software and tools which must be used, and required processes and approvals. IT Security Policy should be reviewed and signed whenever a new employee or contractor is hired, and any updates reviewed and approved when they occur.
Anti-Social Engineering Policies
Since social engineering is involved in most hacker and malware attacks, every organization should have specific policies and education which define, address and mitigate social engineering attacks. Every employee and contractor should be made aware of the seriousness in which the organization takes social engineering attacks and educated to recognize, mitigate and report them. This should be covered early on before employees or contracts have access to the IT environment or confidential data.
Consequences
Consequences for not following policies or failing real or simulated phishing tests should be written down and communicated to employees. Oftentimes, consequences are tied to HR policy and employee annual reviews. Consequences for failing simulated phishing tests in a given period of time should also be defined. For example:
- First simulated phishing failure results in more security awareness training
- Second simulated phishing failure results in more security awareness training, longer
- Third simulated phishing failure results in more training, plus meeting with supervisor to suggest corrective action
- Fourth simulated phishing failure results in more training, plus meeting with training supervisor to come up with mediation plan, recording on employee’s official record
- Fifth simulated phishing failure results in more training, locked down computer devices, recording on employee's official record
- Sixth and more simulated phishing failure results in more training, meeting between employee, supervisor and HR to determine next appropriate action
To be clear, KnowBe4 believes the best results for improving employee performance and decreasing cybersecurity risk is more positive reinforcement when possible and only using negative consequences as a last resort.
Technical Controls
Technical controls are the IT software, firmware and hardware used to prevent malicious hackers and malware from reaching an end user in the first place. Technical controls include:
- Malware Detection and Mitigation
- Antivirus
- Endpoint Detection & Response
- Intrusion Detection
- Virtual Private Networks (VPNs)
- Firewalls
- Email and Browser Protections (e.g., content filtering, dangerous file blocking, not automatically loading active content, etc.)
- Content Filtering (including anti-spam and anti-phishing)
- Phishing-Resistant Multi-factor Authentication (MFA)
- Password Managers (they prevent phishing for passwords)
- Email File Attachment/URL “Sandboxing” products
- URL Blocklists/Reputation Services
- Global Phishing Protection Standards
- Sender Policy Framework (SPF)
- Domainkeys Identified Mail (DKIM)
- Domain-based Message Authentication, Reporting and Conformance (DMARC)
- Separate systems for work systems and email/Internet
Anything you can do to prevent end users from being exposed to social engineering attacks can only help to reduce your security risk.
Education
You need to educate your co-workers on how to recognize, mitigate and report potential social engineering attacks. You should give longer and broader anti-social engineering training (perhaps 30-60 minutes’ worth) when hired, and annually thereafter, and then shorter instances (e.g., 2-5 minutes) each month along with at the very least a frequency of monthly simulated phishing tests. You can increase to every two weeks if needed. If someone fails a simulated phishing test, they should be given more training. KnowBe4 customers who follow this approach significantly reduce the percentage of employees who will click on a real or simulated phishing test (what we call the “Phish-proneTM Percentage”).
You need to educate like you were a marketer pushing television advertising, which is to say your security awareness training should be frequent, redundant and entertaining. It should be a combination of media types and channels. Perhaps use videos, posters, games and quizzes. When doing video content, change the type of videos you use. One size does not fit all. Different people learn differently. By varying the content and content type, you will communicate more effectively across a broad range of people.
See our whitepaper on creating a security awareness training program here.
Other Tips and Tricks
Some other tips and tricks you can try:
- Create a “champions” program where people who perform well in detecting phishing and simulated phishing tests and want to help others can be designated as “champions” and be used to promote security awareness training in person, and use a gamified platform with badges
- Hold an annual security awareness training conference every year (perhaps in October for Cybersecurity Awareness Month), with food, education and prizes
- Mix up simulated phishing tests and randomize who gets what test when
- Give prizes or parties for people who do really well at spotting real or simulated phishing
- Have the CEO communicate about the importance of building a strong security culture and everyone becoming a human firewall
You can download our Comprehensive Anti-Phishing Guide eBook covering these topics in more detail.
This was a very quick recap of the policies, technical controls, education and other tips and tricks you should consider to mitigate the threat of social engineering. If you want more details or to watch a webinar on everything you can do to mitigate phishing, register below:
Register by May 10th @ 2:00 PM ET!
Don't like to click on redirected buttons? Copy & paste this link into your browser: https://info.knowbe4.com/phishing-mitigation-mc?partnerref=blog