On this blog, we have talked several times about social engineering attacks and their relevance in the current business panorama. While based on human psychology and deception, these attacks continue to have a deep, devasting impact in our economy, driving crises for companies.
So far, the human factor has basically been the one to blame. Every time a social engineering attack succeeds, we move hastily to point out end users as liable and charge them with full responsibility.
However, this isn’t the smartest nor the healthiest way to do it. There is a different approach in business to face the challenge imposed by social engineering attacks.
Are Humans the Ones to Blame?
Social engineering attacks target human individuals by laying traps based on psychology. These attacks often use facades to drive end users to take actions as clicking on infected links or directly downloading malware. These attacks are worryingly successful, which suggests that humans are effectively the ones to blame here.
Yes, employees are the ones falling victims of social engineering attacks, something that eventually leads to major problems for the company. They click, submit, and download, which triggers a chain of terrible events.
Cybersecurity has always been fast to determine the end-user as the scapegoat, the one to blame for everything that goes wrong. However, individuals are only one of the many factors in this complex equation. Above end users, we find (or should find) different layers of responsibilities that belong to others.
A Layer of IT Professionals
Cybersecurity specialists are in charge of implementing mechanisms that keep threats at bay. They are the real experts when it comes to social engineering attacks, not the accountants at the finance department. Thinking this is only beneficial to cybercriminals conducting the attacks.
However, the ones targeted by attacks are the accountants at the finance department and any other employees holding valuable business information. Therefore, IT professionals must embrace their role as defenders for the entire company. While employees, in general, must be careful about how they behave online and pay attention to suspicious events, their role isn’t to protect the company from social engineering attacks. Instead, the ones responsible for this are the IT professionals.
Making Structures Difficult to Map and Navigate
Conducting a social engineering attack isn’t easy for the cybercriminal. Instead, this endeavor is incredibly demanding in terms of time and technical effort. Malicious agents need to research the targeted organization and the individuals that are part of it. Without in-depth research, it is impossible for the hacker to carry out an effective attack as he needs to know the individuals that are part of the organization and how such an organization is structured, technically speaking.
Here, IT specialists are also held accountable. They are responsible to create and condition business structures that must be nonlineal and difficult to navigate by outsiders. Obscurity is a need when looked from outside, something that greatly difficult the cybercriminal’s work.
Corporate networks that are easy to map and navigate by malicious agents only make the work easier. That’s why security mechanisms and designed complexity are needed to maintain threats at bay.
Safe Transfers in Business
One of the ways cybercriminals use to succeed in their social engineering attacks is by sending attached files in email messages. They apply phishing principles and move forward to distribute malware among employees. And then, when an individual within the organization downloads such malware by mistake, they are blamed as much as the attacker.
Yet, there is a key mistake in having businesses internally sharing files through email. In today’s world, every transfer should be done through secure methods as cloud-based enterprise file sync in its many forms and not by irresponsibly attaching the files in an email message.
By forcing this unavoidable change in business, we reduce dramatically the chances of success for social engineering attacks that involve sharing malware by attaching it to email. This minor implementation can have a major impact in cybersecurity for an organization and the cost of it is lesser than expected.
Training and Awareness Without the Blame
Despite everything we have addressed in this article, the employees will continue to be scapegoats for poorly-protected businesses. Even in organizations where top-grade cybersecurity methods have been implemented, every single individual will be held accountable if something goes wrong, even if such an individual has nothing to do with IT.
With this in mind, it would be a good idea to place security training for greater awareness as the top priority. IT specialists must conduct training sessions and distribute learning material within the organization in order to reduce the threats imposed by social engineering.
Regardless of how much education the employees receive on the subject, it’s key that all the other factors are considered before blaming anyone of potential breaches. This kind of approach only generates a difficult, riskier culture in the workplace.