What was the most common cyberattack vector in 2022? Advanced persistent threat (APT)? Ransomware? Denial-of-service (DoS) attack or distributed DoS attack?
In actuality, according to the Verizon 2022 Data Breach Investigations Report, 82 percent of breaches leveraged the human factor (i.e., social engineering). Surely, part of the problem relates to a simple dearth of cybersecurity knowledge by many (or most) employees outside the realms of IT and security. But that is not the complete answer as it is entirely possible for security professionals themselves to fall victim to a social engineering hack, too.
This type of vulnerability hinges on human psychology—the things that motivate us; inspire urgency, fear and greed; and create the urge to please or obey. Thus, user education is one of the most important tools that cybersecurity professionals can use to combat social engineering.
However, this is not to discount the effectiveness of the many other strategies and technologies that can and should be employed to combat social engineering-fueled cyberattacks and breaches. Email security gateways, for example, can be quite effective in deflecting social engineering attempts, and certain other, newer technologies can help tame the beast as well.
Building a Business Case
If user education is the key to deflecting social engineering attempts, then management buy-in is the necessary precursor. However, too often executives seem to see cybersecurity as a cost center, rather than an intrinsic part of business operations.
To change that viewpoint will most likely require a strong business case, which in turn necessitates input into business costs from management. A classic chicken-or-egg conundrum, right? Luckily (or not so luckily) we have reams of studies and statistics, like those in the Verizon report, to use as a start to the conversation.
From there, you can start to factor in the potential business costs of an attack or breach resulting from social engineering. These should include both hard expenses—such as the cost of lost sales, reduced employee productivity and potential fines—as well as soft losses such as damage to enterprise reputation and customer relationships.
Forewarned and Forearmed
No matter the level of buy-in (or budget) you receive, there are a variety of tools and resources, ranging from freeware to paid services, available to design and run simulated social engineering attacks today. A couple of examples are the Social Engineer Toolkit (SET) and Microsoft Defender for Office.
Even a program to simply raise awareness, such as sending out updates on recent social engineering exploits or adding a brief presentation to new-employee orientation, can help reduce the risk of a successful attack. Gamification is another route that may up-level social engineering awareness; a number of vendors and organizations offer platforms and tools for this purpose.
Especially in this era of an increasingly hybrid workforce, an awareness-building program—no matter its size or scope—becomes even more important. Employees are the first line of defense against these exploits, and education is the key to arming them against social engineering.
But Layer Defenses Wherever Possible
In addition to awareness training and education, quite a number of technologies are available to augment and fortify efforts to limit the impact of social engineering attacks. Cloud-based email security gateways are just one example. Depending on budget, staffing, age of existing infrastructure, the value of the assets to be protected and other aspects, a layered defense strategy may range from relatively low-cost and simple to more elaborate (and expensive) endeavors.
Enforcement of strong passwords is an example of a relatively cheap, easy and fast tactic that can be highly effective in averting data breaches and other cyberattacks. Other strategies and techniques can be rolled out in parallel with existing technologies to minimize disruption while preparing for a new, stronger security infrastructure. A zero-trust network architecture (ZTNA) is one such example; it can be deployed alongside a secure sockets layer (SSL) virtual private network (VPN), working as an overlay at first to boost security and eventually replacing it.
Other social engineering defenses such as multifactor authentication (MFA) are sometimes available as add-on licenses for existing devices including next generation firewall and SSL VPN. Cloud-based MFA and even biometrics are also available as options.
A Constant Threat
Social engineering is a pernicious and constant threat that is by far the leading cyberattack vector. By understanding how it works, educating users and adopting reasonable technology defenses, cybersecurity professionals can work to nullify its impact on critical network resources.
Editor’s note: For further insights on this topic, read Chun Li’s recent Journal article, “Combatting Social Engineering,” ISACA Journal, volume 2 2022.