Wikipedia defines social engineering, in the context of information security, as the “psychological manipulation of people into performing actions or divulging confidential information.” Our increasing reliance on vast networks of digital technology for information storage, research, controls, and transactions makes organizations highly vulnerable to social engineering fraud.
There is a strong urge to combat this risk with a technological fix like stronger encryption or better management controls. The problem is not a technical one because social engineering fraud is based on the exploitation of human interactions and human frailties.
In 2011, a leading information security company suffered an attack on its widely-used authentication program. Upon investigation, the company learned that low level employees had been the target of an authentic-looking email phishing attack that claimed to be about employee compensation. When one employee clicked on a phony spreadsheet titled ‘2011 Recruitment Plan.xls’ it executed a piece of code that installed a backdoor on the company’s software that could be exploited. This breach cost the company $66 million.
So, what can you do to prevent this fraud? Here are 5 ideas about how to address some of the human risks that can lead to social engineering fraud:
- Foster and sustain a culture of security at all levels of the organization. Make people aware of how human behavior, not just technological failure, can be a threat.
- Periodically evaluate your internal controls and compliance with them, preferably using an independent auditor.
- Train people to recognize common types of social engineering and how these tactics could overwhelm standard controls.
- Perform regular stress tests on your controls to determine if they can be penetrated.
- Get expert help to design a social engineering fraud prevention program.
Learn more about social engineering fraud from our infographic, below. And then contact the risk management consultants at Lowers & Associates if you want to improve your ability to prevent and detect this human risk.