What is social engineering in the context of digital security?
The Guardian defines social engineering as “a non-technical strategy cyber attackers use that relies heavily on human interaction and often involves tricking people into breaking standard security practices”. It involves breaking into digital security systems not with software but with talking to people, accessing premises, checking social media or even eavesdropping.
Here are three points you need to understand about it:
1. Social engineering is not about finding bad people, it’s about misleading good people
“Inside jobs” are a regular feature of fictional crime stories and probably a fair percentage of real-world crimes. This scenario is, however, totally different from social engineering. A person “on the inside” is fully aware of what they are doing, he or she is a rogue employee. Social engineering is about misleading good, honest, sincere employees so that they take actions that damage their company.
2. Digital hygiene is essential for personal and professional cybersecurity
Life is a learning experience and it’s probably fair to say that where the internet is concerned, most of us have been too lax for too long for the simple reason that we didn’t know any better. We opened several email accounts and created multiple logins for numerous websites and never bothered closing anything properly when we stopped using it.
We also probably used passwords it wouldn’t have taken too long to crack, or even kept a post-it note with our passwords underneath the keyboard.
As a result, unless we actually take the time and make the effort to clean up our digital past, there is likely to be a lot of information about us floating around the internet. If you’d like to put this to the test, try researching yourself and see what you find. Do as much as you can to clean up your digital footprints and stay aware of the fact that the internet never forgets.
3. Education is vital to success in digital security
Education won’t stop “inside jobs” (only effective security policies will do that) but it will give genuine employees the tools they need to keep your company safe.
The good news is that these days, convincing people that they need to learn about cybersecurity can actually be fairly easy, thanks to the fact that there are numerous real-world examples of just how much damage poor cybersecurity can do. The key point to get across is that the training you will give them to keep themselves safe at work can also be applied to their personal lives and taught to other people they care about such as young people and today’s generation of “silver surfers”.
With the best will in the world, however, people are going to forget training unless it is either applied or refreshed regularly, preferably both, so it is your responsibility as an employer to make sure that your employees continually receive “top-up” training.
Your receptionists need to know why visitors should be left alone in a room with a networked computer, your sales staff need to take care with what they give away on social media, and your executives need to make sure their laptop screens stay away from prying eyes on public transport. It may sound paranoid, but good social engineers will stop at nothing to work their way into your system, and you don’t want to tempt them.