What strategies can organisations implement to defend against social engineering attacks and why is it important to educate all parties involved?

What strategies can organisations implement to defend against social engineering attacks and why is it important to educate all parties involved?

According to GlobalData’s Advisory Report, 2024 Enterprise Predictions: Secure by Design, cybercriminals are predicted to be quick to innovate and improve their use of methods like social engineering and deceptive practices. In this digital era, innovation is often poised as a pinnacle of technology evolution. However, as quickly as decision-makers are willing to invest time, energy and money into deploying new technologies like Artificial Intelligence (AI), bad actors and hackers are gearing up to seize those efforts with the same force.

Social engineering has featured in many industry-leading predictions for 2024 and sounds like it is already maturing into an even more impactful state. GlobalData reported that attacks leveraging social engineering tools became more frequent and more expensive in 2023, meaning the profitability and ease of these cyberattacks is likely to drive an even higher volume of incidents this year.

It shouldn’t be mistaken that AI is the only tactic used, however, cyberthreats are more familiar with this technology. Darktrace found that due to AI’s monolingualism, it left the Asia Pacific region – home to diverse and complex languages – a relative safe-haven from attackers. However, Generative AI (GenAI) has dramatically dropped the barrier to entry for composing text in foreign languages. It should be expected that attackers will add new capabilities to their belts and this threat will be compounded by employees coached to look out for phishing emails written in English, but not their own language. Darktrace emphasised that this could provide fertile ground for attacks and create a weak spot for APAC businesses.

The National Cyber Security Centre (NSCS) recently revealed, in its The Near-Term Impact of AI on the Cyber Threat report, that cyber-resilience challenges will become more acute as technology develops. To 2025, GenAI and Large Language Models (LLMs) will make it difficult for everyone, regardless of their level of cybersecurity understanding, to assess whether an email or password reset request is genuine, or to identify phishing, spoofing or social engineering attempts. 

“Threat actors continue using different tools and methods in their attack campaigns, making it critical for organisations to keep abreast of the latest tactics to fortify their security strategy,” said Corey Nachreiner, Chief Security Officer, WatchGuard. “When it comes to attacks that employ social engineering tactics, the end-user becomes the last line of defence between malicious actors and their success in infiltrating an organisation.

“It’s important for organisations to provide social engineering education as well as adopt a unified security approach that provides layers of defence, which can be administered effectively by managed service providers.”

A realistic way of ensuring compliance from every member of an organisation should likely revolve around encouragement, empowerment and lack of ridicule and repercussions. Building resilience against cyberthreats is by no means easy, however, adopting a workplace culture that emits individual value in employees is likely to reduce risks falling on deaf ears.

We receive insight from industry experts at Rapid7, Illumio and Integrity360, who share their strategies to defend against social engineering tactics.

Christiaan Beek, Senior Director Threat Analytics, Rapid7

Christiaan Beek, Senior Director Threat Analytics, Rapid7

A robust defence against social engineering requires a comprehensive strategy that strikes the right balance amongst people, processes and technology. To do so, a culture of security is key. This is where security becomes entrenched in the day-to-day functioning of a business to create a domino effect in encouraging individuals to understand their security responsibilities and by adopting a collective responsibility towards security.

The primary focus must lie in developing awareness amongst individuals regarding the intricacies of social engineering, in terms of how it operates and unfolds. This should be done through fostering a culture of security. Leadership must set the tone and implement a trickle-down effect by exemplifying security consciousness and communicating regularly about potential and emerging threats.

A Chief Security Officer (CSO) who is both aware and visible is vital in furthering this cultural shift. It needs to be made known that it is okay for staff to have gaps in their knowledge, and asking questions should be encouraged to help establish an environment conducive to security consciousness. We all have to be aware that we’ll make a mistake at some point, so encouraging openness should be key. This human element has to be recognised as crucial in defending against social engineering. Individuals must align with and buy into the technological measures implemented. The efficacy of security measures is wholly dependent on the collective commitment, vigilance and understanding of the organisation.

Education is an exercise which needs to be under constant review to make sure it is kept up to date. Annual training sessions – a staple in many organisations – must be regularly updated to keep pace with the dynamic threat landscape.

Annual training must sit alongside proactive measures such as phishing simulations to keep a workforce alert to potential social engineering risks. Creating a culture of security is reliant on productivity and a consistently vigilant workforce. This training must be upheld by a robust reporting mechanism. Heightened awareness should be complemented by a system that aids the reporting of suspicious activities. Simplicity and repetition play a key role here so that security measures stay top of mind for all individuals within the organisation without alienating staff. Good security equates to simple security. This comparison is seen by deploying a button that can be pressed whenever a suspicious threat is noticed, rather than enforcing email-based reporting which causes inefficiency and confusion. 

Striking a balance between stringent security measures and user-friendly practices is paramount. A holistic defence against social engineering encompasses the continuous integration of education, a culture of security, technological fortifications and strategic leadership. This is vital in organisational resilience and boosting an organisation’s ability to navigate evolving cyberthreats.

Trevor Dearing, Director of Critical Infrastructure, Illumio

Trevor Dearing, Director of Critical Infrastructure, Illumio

Social engineering and AI improve the success rates of attacks. UK Prime Minister, Rishi Sunak, warned by 2025 it’s likely AI will create ‘faster-paced, more effective and larger scale’ cyberattacks. Breaches are now inevitable so education around AI, attack methods and cyber-hygiene must be prioritised.

A good way to increase cybersecurity education is by making it relatable to employees’ personal lives. For example, through campaigns such as ‘how to stay safe from cyber scammers at Christmas’. Although not work-related, employees will likely apply the knowledge they have acquired to protect their personal finances to a work environment. Despite greater education in schools, there is often a disconnect between school leavers and entering the world of work – much is quickly forgotten and the boundaries between work and home device usage become blurry.

We must also acknowledge that we cannot prevent all attacks. You can educate and educate, but employees are human, and errors will be made. Even if you raise awareness enough to stop 99.9% of attacks, the 0.1% still equates to thousands of attacks. So, while the first line of defence is certainly education, the second line is what happens when an attacker gets through. How can you mitigate the blast radius and reduce the impact of attacks?

This is even more critical in hybrid and multi-cloud environments where the risk of breaches spreading is greater. It only takes one successful phishing attack to gain access to an organisation, and once attackers are in, the goal is to move to find sensitive data or assets.

As well as applying basic cybersecurity hygiene principals like anti-virus, patch management and identity and access management controls, the following measures can help build resilience against social engineering attacks:

  • Place tighter controls on social media: Although often unpopular with employees, consider restricting access to certain, if not all, social media platforms within the business environment. Social media is an attractive target for attackers looking to gain information or find a way in, often because users are often less vigilant and more susceptible to scams via such platforms.
  • Enhance detection capabilities: Endpoint Detection and Response (EDR) is a non-negotiable when it comes to social engineering. Round the clock monitoring enables fast identification of abnormal behaviour and ensures that attacks can be identified and responded to as quickly as possible.
  • Implement segmentation: Network segmentation is key to reducing the impact of attacks, as stated in the Cyber Assessment Framework (CAF). The goal of social engineering is to trick users into exposing data, spreading malware infections, or giving access to restricted systems. Technologies like Zero Trust Segmentation provide an easy and consistent way to apply segmentation to all environments, ensuring that those attacks that bypass EDR and other defences, are rapidly contained.

Richard Ford, CTO, Integrity360

Richard Ford, CTO, Integrity360

Defending against social engineering requires a multifaceted approach that combines education, policy and practice. As these attacks become more sophisticated thanks to the increasing use of tools such as AI, the importance of educating and preparing all parties within the organisation cannot be overstated.

Insider threats have also become more prominent due to a variety of social and economic factors, the most pressing of which is the cost-of-living crisis. Financial hardships and pressures have seen the risk of insiders deliberately exposing data or credentials for hackers to utilise and exploit in exchange for cash – a tempting option for disgruntled or desperate employees looking for a way out of economic hardship. This makes the insider threat highly unpredictable and, consequently, difficult to manage. 

The cornerstone of defending against social engineering is robust awareness training. Employees are often the first line of defence against these attacks. Regular training sessions should be mandated, focusing on identifying and responding to various forms of social engineering threats, such as phishing, pretexting and baiting. This training should be dynamic, reflecting the ever-evolving nature of social engineering tactics.

Employees should feel empowered and encouraged to report suspicious activities without fear of retribution. Such a culture is nurtured through continuous communication from the top-down, emphasising the importance of security in the overall health of the organisation.

Another vital strategy is the implementation of strict information control policies. Limiting the amount of information available publicly can significantly reduce the risk of social engineering attacks. This means controlling what is shared on company websites, social media and through other public channels. Employees should be educated on the risks of oversharing, both in professional and personal contexts.

Regular security audits and simulated social engineering scenarios can also play a crucial role. These exercises not only test the effectiveness of current security measures but also keep the staff alert and prepared for potential real-life situations.

Finally, it is crucial to understand that social engineering attacks not only compromise data but also can severely damage an organisation’s reputation and trustworthiness. The cost of a breach extends beyond financial loss, affecting customer confidence and long-term business viability. Thus, investing in comprehensive education and robust defensive strategies is not just a matter of data security; it’s a matter of business survival.

Browse our latest issue

Intelligent CISO

View Magazine Archive