I’ll be presenting a webinar on the use of social engineering in cyber attacks on February as part of ISACA’s CSX Cyber Security Series. See my blog post at ISACA for more details and to register.
Organizations battle daily with social engineering-based cyberattacks and unfortunately often find themselves on the losing side. What can be done? To determine this we need to step back from our technological tools and start with the psychological basis of why social engineering works and why it is a tactic of choice for cyber attackers. Armed with that knowledge, organizations can begin to mount a more effective defense.
I’ll be discussing the above during an ISACA webinar on February 23, 2016. See this link for more info and to register.
I had the opportunity today to sit on a cybersecurity panel discussion at the 2015 Great Plains Contingency Planners Seminar and Vendor Expo. Lots of great questions from the audience, especially related to social engineering threats. I would recommend everyone take a look at their cyber awareness program. A few key thoughts:
- Has your organization determined what it considers critical information that needs to be restricted to non-employees? This could be intellectual property, it could be what vendors you utilize, it could be what days you run patches on your IT, or the web address for your remote VPN access. Once this information is determined then your workforce needs to be informed not to share directly to an outsider or post on social media.
- Do you conduct training to teach employees how to recognize and respond to phishing emails? This could be conducted by your internal IT team or by vendors specializing in providing this service. A variety of tactics, frequency of events (monthly or quarterly), and feedback are crucial to success.
- Establish a process for employees to report questionable activities. It may alert your security staff to initial attempts to hack into your network.