Cyber threats are consistently catching companies out, meaning organizations must adapt their IT measures and procedures to mitigate the evolving threat. Risk managers should designate cyber threats as one of the top risks to a business and should have relevant controls in place to help manage the threat level.
One of the most important controls that should be in place is security awareness training for all staff. There are many threats staff should be aware of within their emails and browsing. But a threat that may be overlooked is that of social engineering. Employees who have access to confidential information need to be trained or risk becoming victims of social-engineering techniques.
In the context of information security, social engineering is psychologically manipulating people into performing actions or divulging confidential information. A social engineer will use confidence tricks to gather information or access systems.
Social engineers could call, email or access a one of your company’s locations by pretending to be someone who works for the same organization, a customer or another trusted party (for example, a security guard or building engineer). Social engineers will try to get you to provide them information or access by circumventing the usual means by pretending to be a person of trust. If you are unsure, you should refuse to provide access or information to this person until you verify who they are.
Knowing these techniques will enable staff to identify forms of social engineering. Taking a proactive approach by educating and training staff will mitigate the threat posed by social engineers.
When used by an experienced social engineer, it's shocking just how effective these techniques can be. Consider, for example, the real-world example in this video of how social engineering works in practice: