InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
Social engineering attacks focus on convincing individuals into bypassing security procedures to gain unauthorized access to systems, networks and data, usually for financial gain. As a first step in larger cyberattack operations, social engineering tactics
can create large-scale damage by infiltrating systems, stealing sensitive data or releasing malware. This piece details social engineering best practices, providing guidance to prevent attacks and recommending ways to mitigate them.
While social engineering is a human-centered form of attack, preventive measures must address not only people, but policy and technical controls as well across the organization.
Even a strong cybersecurity culture is not as effective without policies and procedures in place to provide documented guidance and enforce behaviors. Just as every employee is a potential target for social engineering, every policy and procedure should
consider potential social engineering vectors and provide specific guidance on steps to take to avoid a successful attack. Important examples include:
Once policies and procedures are established, it is critical to distribute them and have employees trained on the most important elements. General employee training should cover key concepts such as:
Even organizations with comprehensive policies and procedures and well-trained employees have been the victims of social engineering. The third element of preventing and mitigating social engineering attacks is technology.
Some effective technologies include:
READ: How to Create an Effective Anti-Phishing Program
Even if your organization has a well-balanced social engineering prevention program, you may still be successfully attacked. A good defense-in-depth strategy must include not only prevention, but response and recovery as well.
For example, organizations should create:
READ: How to Advance Your Phishing Program to Address Ransomware
Social engineering prevention and mitigation must cut across people, process and technology to be effective. While training users to be vigilant and aware is critical to preventing attacks, it is also important to have well-documented, easily accessible
ways to report social engineering attacks, in addition to technical controls that supplement training and provide automated policy enforcement.
Employee education is the first line of defense against social engineering. If the entire organization is aware of potential threats, your security strategies will be much easier to implement.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
June 30, 2022
By IANS Faculty
Understand how zero-click attacks work and find best practices to help detect and prevent common zero-click techniques from harming your organization.
June 28, 2022
Find guidance on how to create meaningful security metrics and KPIs for measuring risk improvement across a variety of security areas, including vulnerability management, product security and more.
June 23, 2022
Gain an understanding of the latest insider data exfiltration threats, motivations and methods. Learn best practices for insider threat detection and data exfiltration prevention to protect your organization.