“Always remember: Amateurs hack systems. Professionals hack people.” –Bruce Schneier, CTO, Counterpane Internet Security, Inc.
All over the globe, social engineering is a dominant and growing threat to organizational security. Since January 2015, the number of social engineering victims identified by the FBI has increased 270%, costing businesses more than $2.3 billion.
Social engineering happens when a hacker uses manipulation, influence, or deception to get another person to release information or to perform some sort of action that benefits them. Essentially it just comes down to tricking people into breaking normal security procedures such as divulging a password.
Some common types of social engineering include:
- Spear phishing – sending an email that appears to be from someone you trust, such as the CEO or corporate IT, requesting you to take an action that makes confidential information vulnerable.
- Dumpster diving – rummaging through the trash to try to find confidential information like design documents with IP information, marketing plans, employee performance plans, or even organizational charts and phone lists.
- 10 degrees of separation – appearing to have a shared connection you trust to make you feel more secure about discussing confidential information.
No matter how strong your technical security is, your organization’s people are often the most vulnerable link in the chain. But, with thorough, thoughtful, and regular education, they can also be your biggest asset in your fight against social engineering.
To learn how to implement strong security policies and build a security-aware culture to help protect your organization from social engineering risks, check out the Insider’s Guide to Social Engineering.
from Microsoft Secure Blog Staff