When speaking about cybersecurity (and physical security), the phrase “employees are your weakest link” is often used. In truth, they can be your strongest line of defense in preventing cyberattacks when they are armed with social engineering training.

With proper training and guidance as part of a consistent, ongoing process, your employees will be able to make the right decisions when they encounter a social engineering attempt. 

On the flip side, not having clearly defined employee policies leaves the entire organization vulnerable to cyberattacks from social engineering ploys such as business email compromise, invoice fraud, social media attacks, and various types of phishing. 

Phishing attacks account for 90% of data breaches, according to Cisco’s 2021 Cyber Security Threat Trends Report. These attacks continue to evolve and grow in sophistication.

What is Social Engineering?

Social engineering is the art of exploiting human psychology rather than technical hacking techniques to gain access to buildings, systems, or data. It could look like an email sent by the CEO of your company to join an online meeting immediately or a request from a ‘vendor’ requiring a wire transfer or invoice payment. 

Cyber attackers use social engineering to personalize attacks to manipulate people into performing unsafe functions. Cybercriminals also take advantage of the emotions or negligence of human beings more often than they target system vulnerabilities.

Even with traditional security in place (antivirus and firewalls), cyber-attackers can penetrate the organization by getting an employee to provide access to the systems that house sensitive data (and often without their knowledge). Most cyberattacks start with social engineering components, such as a phishing email, leading to credential harvesting, direction to a malicious website, or having a user send sensitive information or make a financial payment to an attacker.

There’s a misconception that email spam protection systems block all malicious activity, which is not true. For example, bad actors can launch a social engineering attack from a legitimate email account that is compromised. Spam protection will not automatically filter this type of email out. Attackers don’t just use email; they use various techniques: phishing, smishing, vishing, social media, company website, chats, and other methods. 

Without proper training, employers and employees can fall victim to wire fraud, gift card scams, and other takeovers or compromises. In addition, poor home security habits, home internet security lapses, cloud apps, and Shadow IT open substantial security risks for organizations. 

Not having clearly defined policies leaves employees many opportunities to accidentally fall victim to social engineering attacks. They are simply unaware that activities such as connecting personal devices to the network, checking personal email on a work computer, or not correctly reporting a suspicious email can increase the likelihood of a successful cyberattack.

Employees are Your Biggest Ally 

The whole mindset that employees are the weakest link in cybersecurity needs to change. Employees can be your biggest ally when you set clear expectations and policies and deploy dynamic training, making them determined cyber defenders. 

Think of it this way: Employees are the defensive middle linebackers of an organization. The linebacker reads the opposing offense (cyber attacker) and calls the plays (responding to a possible malicious attack). The linebacker is the defense’s heart, mind, and soul, much like an employee is to an organization. 

What should social engineering training for employees include?

Social engineering training needs to be part of your comprehensive cybersecurity program. There must be buy-in and participation from everyone in the organization from the top down—the CEO, IT, sales, technicians, and interns. Expectations have to be clear and communicated through written policies (especially tech and data use) and simulations, videos, awareness posters, and various media that capture and keep employees’ attention and reinforce best practices. 

Frequency: At least monthly – ongoing, short reinforcements

The frequency and repetition of social engineering training should be at least monthly, with ongoing, short reinforcements. Social engineering training has to be more than quarterly or annually and engaging, so information “sticks” with employees, and they retain the knowledge to reduce the likelihood of a cyber-attack.

Social engineering training also needs to be dynamic – with specific examples and clear expectations of next steps and how employees should react to various situations.  

Repetition retains knowledge

Neuroscientists have proven that repetition is key when internalizing information and retaining knowledge, also known as Spaced Learning or spaced repetition learning. Spaced repetition learning is based on the way the mind works. While we can pick up facts in no time, real learning is best understood as a longer-term process that occurs over time through repetition. Employees need space and the passage of time to let information marinate, to review and refresh their knowledge, and to have the opportunity to apply it in a real-world situation. 

Here’s what to include in your social engineering training:

• Classroom Training Videos—at the beginning of employment and annually for the entire organization.
• Awareness Posters — constant visual reminders of key topics staged around the business or digitally.
• Phishing Simulations — to build up muscle memory of how to spot a phishing email. Its’ purpose is to get real-life attacks in front of employees before attackers do.
• Employee Awareness Training — monthly, relevant, and engaging short training videos. 
• Tech and Data Use Policy — set clear expectations and provide detailed guidance.

Want to find out how an expert implemented a successful employee security awareness program? Watch our webinar Implementing a Successful Employee Security Awareness Program

Why Is Social Engineering Training for Employees Important?

Social engineering training is an important part of your cybersecurity education and policies. Even though cybersecurity is so critical today in everyone’s lives, most people have never studied how to protect themselves from a cyberattack in school or elsewhere. Attackers are getting more sophisticated and are banking on an instant response, so you constantly have to train about new threat vectors.

Your policy should set specific expectations that keep in mind how dependent we are on technology. It should be a way for employees to verify requests before they respond, which is especially critical in the absence of face-to-face methods and work from home employees. Social engineering training should be part of the onboarding process of new employees, interns, or temporary employees.

Consistent, targeted, and evolving social engineering training decreases the chances of a socially engineered cyberattack. Combined with policies, assessments, testing, and detection and response, your employees will be ready at your defense. 

More Resources:

Blog: Everyone’s Role in Cybersecurity
Blog: Looking Ahead to Social Engineering Trends of 2022
Blog: Fight the Phish: How to Identify and Handle Phishing Attempts
Webinar: How to Spot a Phish: Tips to Spoil Advanced Phishing Attempts
Blog: Catch a Phish Before It Catches You