Social engineering will put your layered defenses to the true test. Even with strong security controls, a naïve or untrained user can let the social engineer into the network. Never underestimate the power of social engineers — and that of your users and helping them get their way.
Specific policies help ward off social engineering in the long term in the following areas:
- Classifying information so that users don’t have access to certain levels of information they don’t need
- Setting up user IDs when hiring employees or contractors
- Establishing acceptable computer usage that employees agree to in writing
- Removing user IDs for employees, contractors, and consultants who no longer work for the organization
- Setting and resetting strong passphrases
- Responding quickly to security incidents, such as suspicious behavior and known malware infections
- Properly handling proprietary and confidential information
- Escorting guests around your building(s)
User awareness and training
One of the best lines of defense against social engineering is training employees to identify and respond to social engineering attacks. User awareness begins with initial training for everyone and follows with security awareness initiatives to keep social engineering defenses fresh in everyone’s mind. Align training and awareness with specific security policies — you may also want to have a dedicated security training and awareness policy.
While you approach ongoing user training and awareness in your organization, the following tips can help you combat social engineering in the long term:
- Treat security awareness and training as a business investment.
- Train users on an ongoing basis to keep security fresh in their minds.
- Include information privacy and security tasks and responsibilities in everyone’s job descriptions.
- Tailor your content to your audience whenever possible.
- Create a social engineering awareness program for your business functions and user roles.
- Keep your messages as nontechnical as possible.
- Develop incentive programs for preventing and reporting incidents.
- Lead by example.