Why does social engineering work?

What is social engineering?

In the most basic terms, social engineering involves manipulating people/systems to reveal valuable information. This valuable information can be anything from date, names, addresses etc. Some examples of social engineering attacks would be phishing, spamming, dumpster diving, shoulder surfing, tailgating, impersonation.

Impact of social engineering on organisations.

When a company gets attacked in any way and this is then made public, their reputation will take damage and be associated with the attack for some time, e.g. Sony. This is also called reputational damage. Customers can feel like they no longer can trust the organisation and therefore not support/associate with it and move towards other competitors. This can then lead to financial loss. Financial loss can also be caused by lawsuits from customers and/or fines from the ICO for breaching information rights for example. A lot of these points lead to another and therefore make a snowball effect. If the organisation is quite small, the fines and lawsuits can become a burden and cause them to temporarily or permanently close.

Factors that make companies vulnerable to social engineering attacks.

The main reason why social engineering attacks are so effective is that people are too trusting. They believe people are who they say they are and people are typically bad at detecting deception. And social engineering relies on trust. Another factor is people want to be helpful, especially in the case of receptionist and low level employees who are the usual targets in social engineering attacks. An social engineer can take advantage of these people.

Next, minimal staff training. Many people arent aware of social engineering attacks and therefore fall for them. Its good to regularly train staff to be aware and ask relevant questions such as why does someone need this information so rapidly? Do you work here? What department? Do you have ID? Running practice social engineering attacks would be good way to train staff and ensure they understand the dangers. A lot of people believe it will never happen to them until it does and then its too late.

Another factor which keeps companies vulnerable is lack of security policies. Security policies are set out rules, plans and practices by the company to protect and ensure security to both the systems, data and the individual employees.

1) Password Policy = This will be different to a lot of companies but should include password guidelines (length, special characters etc) as well as how regularly they should be changed. Additionally, if and when can passwords be reused. Any other additional rules about passwords should be included in the policy.

2) Electronic Communication Policy = This is to properly inform employees how to use the companies electronic communications. This involves email, video calls, messages, websites and more. Ensuring they are aware what to do when an employee gets sent a suspicious email with hyperlinks (most likely phishing attack).

3) Physical Security Policy = This involves monitoring, controlling and granting visitors physical access to the building. Granting physical access to visitors can involve making them sign into a visitor log and having a special lanyard which identifies them as a visitor and always being supervised while on premises.

These are just some examples of policies, there are many more than can be put in place.

Why is social engineering effective?

As mentioned before, people are too trusting. Social engineers use this to their advantage and this is what makes the attacks work out for them. And the thing that goes hand in hand with being too trusting is people not being trained and aware. This causes major flaws in security and puts data, systems as well as other employees in danger. Security is as strong as their weakest link, which is us, humans. Trust also links to not questioning authority. We tend to believe people are who they say they are and we don't question them. A social engineer can easily use this to their advantage and impersonate a member of the C-suite in a business environment. Therefore, to fix this, organisations need to raise better awareness, train all staff and make sure their security is updated and inspected regularly. Whether this means planning and performing regular tests on their staff or if it means going through different policies and organising regular staff training to keep them aware.

Another factor is the fact that people have the desire to be helpful, it's in our nature. When you're in an office environment and see someone will their hands full trying to open a door, we have an urge to go help them either by opening the door for them or taking some things from their hands. This desire to be helpful can easily be used against us by social engineers in many scenarios, especially in work environments as we feel safer and don't tend to think we are being conned in any way.