lolloj - Fotolia

Time to move on with social engineering training, says Jenny Radcliffe

Organisations need to move from awareness of the risk of social engineering to empowering employees to understand and recognise the threat to protect themselves and the company, says Jenny Radcliffe

Training to harden employees against social engineering attacks needs to move on from mere awareness, according to social engineer Jenny Radcliffe.

“This topic is appearing at a growing number of conferences, but acknowledging it is as a key element of cyber attacks is just the start,” she told the inaugural Security Serious Conference in London.

Most organisations need to move past phase one, she said, to define specific objectives for social engineering training and put metrics in place to measure progress towards those objectives.

“In terms of security awareness training, social engineering is a good place to start because it is easy for people to understand and identify with,” said Radcliffe.

“Technical threats are easy to dismiss as being someone else’s job, but people can identify with attacker collecting information about them to use them as a way into the company.

“Social engineering is easier to explain than technical threats and it helps link people’s personal lives with the overall security message their security team is trying to communicate,” she said.  

Phase one entails not only recognising the risk of social engineering attacks, but also identifying the predictable behaviours in an organisation that attackers are likely to attempt to exploit.

“Social engineers will look for how people at the target organisations usually do things – how they celebrate, where they lunch and where they drink,” said Radcliffe.

“In building an awareness programme around social engineering, look at what the company is already familiar with such an anti-phishing programme or a ‘no tailgating’ rule and build on that,” she said.

Read more about social engineering

But first, Radcliffe said, it is important to define the overall objectives of the campaign. Organisations should have a clear idea of what they want to achieve.

The second phase, she said, is to define what relationship the organisation or its security team would like to have with people in the organisation once the campaign is underway.

“Ideally, the object should be to enable people to maintain and grow their knowledge and understanding of the topic once they have been alerted to its existence,” said Radcliffe.

This needs to be self-sustaining, she said. “Individuals need to take ownership of the problem. It is not something that can be achieved by throwing more and more money at it,” she said.

The third phase, said Radcliffe, should be ensuring that those responsible for the campaign are not pursuing it to ‘make a point’ but to empower people to protect themselves from social engineering, and this must include everyone that works for the company, including contractors and temporary staff.

In picking a starting point, Radcliffe said organisations need to identify where they are most at vulnerable by identifying where there is the greatest level of ignorance or risk.

“It does not make sense to focus on phishing first if an organisation runs a call centre that handles thousands of calls a day that attackers are most likely to use to get information,” she said.

Three-step approach to security campaign

Once the objectives and starting point have been identified, Radcliffe said organisations can set about planning their campaign using a three-step approach.

First, she said, it is essential to explain what social engineering is, why it is important, and make it clear to employees that they will be targeted on the phone, by email and physical security points.

It is also important for everyone to understand that anyone can be fooled by a focused social engineer, so it is important to be as prepared as possible to reduce the chances of their success.

“Work to build excitement and interest around the campaign, identify those in the organisation who are the most enthusiastic and ask them to become champions to take the lead,” said Radcliffe.

Next, she advises an amnesty or some form of anonymous communication to get people in the organisation to identify what ways they have found around the security controls.

“People in an organisation are the best qualified to know how to hack the business to get around the rules,” said Radcliffe.

“This exercise is not only useful in helping to identify vulnerabilities, but it gets people thinking and talking about the topic,” she said.

Read more about security awareness

Third, Radcliffe said it is important to make sure that security is part of every meeting, which could include one of the champions or other employees sharing their social engineering story of the week.

This continually reinforces the messages, encourages people to engage with the topic and broadens people’s understanding of what is meant by social engineering and the various forms it can take.

“It is also important to provide the tools people need, such as providing scripts they can use to challenge anything that seems suspicious. Politeness if often the biggest failing. It is helpful if people can follow a set script whenever they feel it necessary for people to prove their identity,” said Radcliffe.

“Encourage people to report anything unusual or suspicious. Make it easy for them to do so and reward those who do in some way. This can be useful in identifying not only potentially malicious behaviour, but also what people in the organisation perceive as areas of risk,” she said.

People at the core of cyber defence

Radcliffe cautioned against using technical terms and approaching social engineering awareness training like any other security project.

“People are not like tech. Do not lose sight of the fact that you are working with individuals you are arming against social engineering attacks and then give it over to them,” she said.

“What you are looking to do is to change people’s minds about security; to get them involved and to understand that it’s personal; you are looking for them to commit to that security message, to stop them from being bored from hearing the standard security messages, and finally to make them willing to act by making them feel free to report.”

In closing, Radcliffe warned against believing any suppliers who claim they have the security tools that can address the risks of social engineering and she advised organisations to keep as much of it in-house as possible.

“Don’t assume it will be easy and don’t approach it with ego – otherwise it will be your downfall. What you are looking to do is to shrink and slow down the social engineering element of a more complex cyber attack.

“The answer to that lies in your people, and while a targeted attack will be bespoke and tailored, you can also defend in a bespoke and tailored way because no one knows a company better than the people who work there,” Radcliffe said.

Read more on Security policy and user awareness