Social engineering attacks continue to grow in popularity among criminals. Why? Because it’s an easy way to achieve their goals. Criminals are pragmatic. They want to achieve their goal in the simplest way possible. Hacking into an organization’s network or finding zero days in a web-facing application can be hard work. Tricking a user to click on a malicious link or provide their credentials “to IT” can be very simple.
To the criminal, size doesn’t matter when targeting organizations for social engineering attacks A recent survey found that employees of small businesses experience 350% more social engineering attacks than those at larger enterprises. This, too, makes sense. A phishing attack on a midsize can be easier to execute and result in a very lucrative ransomware settlement.
What Doesn’t Work
Security awareness training can help organizations defend against social engineering attacks. Unfortunately, many organizations take the wrong approach to training their users.
Annual Campaigns
We’ve tried (year after year) to promote better cyber hygiene with annual “Awareness Month” initiatives. But exploiting poor cybersecurity awareness remains the primary attack vector in data breaches. The 2024 Verizon Data Breach Investigation Report found that the “human element” accounted for 68% of breaches in 2023. Phishing was the 2nd leading “ways-in” for attackers. Once attackers gain a foothold, they can establish command and control channels, move laterally to identify target data, encrypt data for ransomware demands, or steal sensitive information.
Annual campaigns often miss the mark because learning is a continuous process, not a one-time event. Many of us have participated in security training sessions, whether it’s reading and acknowledging corporate information security policies or completing an “Introduction to Security” eLearning course. Unsurprisingly, the long-term effectiveness of these methods is limited.
Consider this: you wouldn’t expect to master driving just by attending a driver’s education seminar, nor would you become fluent in a new language after listening to a single lesson. The same principle applies to security knowledge; retention requires consistent repetition.
Partial Solutions
We’ve talked before about insider risk. In short, while insider threats are users with malicious intent, everyone who has access to your organization’s systems and data presents risk. That risk could include copying the wrong person on an email containing confidential data, uploading sensitive information to ChatGPT, or sharing passwords with a coworker.
This means everyone in your organization requires consistent and ongoing security awareness training.
Unfortunately, that doesn’t appear to be happening. A recent study found that almost half of all organizations only train a portion of their workforce, and over two-thirds allocate less than 2 hours annually for security awareness activities.
How to Combat Social Engineering Attacks
A good security awareness training program requires engaging material and ongoing reinforcement for all users, from the CEO on down. Nobody is exempt from attacks. Here are four tips:
- Start with a review of your technology acceptable use policies. Be sure to cover approved hardware and software, when and how IT will request password changes, and how to use (or not use) newer technologies like generative AI sites. Then make sure every user reads and acknowledges them.
- Next, select core training material that covers all important topics including the tactics used by criminals such as phishing, business email compromise, smishing, and vishing.
- Reinforce the lessons to build a strong security culture. Awareness graphics and videos provide daily reminders.
- Spam and content filters cannot catch everything, so start a phishing simulation program. Offering swag for the departments that do best can “gamify” the training.
Looking for an easy-to-manage platform to protect against social engineering attacks? Schedule a no pressure conversation with a cybersecurity expert.
Protect and defend with multiple layers of cybersecurity
Defend your business with All-In-One Cybersecurity®.
Explore layered
security
Learn more about Defendify’s three key layers and All-In-One Cybersecurity®.
How can we help?
Schedule time to talk to a cybersecurity expert to discuss your needs.
See how it works
See how Defendify’s platform, modules, and expertise work to improve security posture.