Learn how to train your employees to combat social engineering attacks.Read the white paper 5 Tips to Train Workforce on Social Engineering.
In data security, a lot of time is devoted to the technical side of security, such as firewalls, vulnerability scanning, and penetration testing. But did you know an attacker could bypass years of IT security work during a social engineer attack?
Social engineering is one of the easiest ways to steal data, especially if employees haven’t been trained on how to recognize and combat it. Social engineers make themselves look like they belong to a company, and can walk into an organization, steal data, and walk out in a very short amount of time.
SEE ALSO: 9 Ways to Social Engineer a Hospital
Since social engineering targets the workforce, the best way to combat it is to train your employees. Here are a few tips to properly train your workforce against social engineers:
Rethink trainingTraining your employees when they are first hired, or having training sessions once a year isn’t cutting it anymore. The sessions are usually too long, the employees get bored, and most of the crucial security information doesn’t stick as a result.
Instead, do regular training quarterly, if not monthly. Focus on elements of social engineering and what employees can do to be aware of it. Repetition will help your employees to remember and apply their training in everyday situations.
Need to train your employees? Let us help!
Create policiesThe main problem organizations have with social engineering is their employees don’t know what to do if they find themselves in an uncertain situation. Create policies help your employees know the proper protocol for security. Established policies on handling data properly will help your workforce spot suspicious activity. Some specific policies may include:
- ID anyone trying to access off-limits areas
- Never use a USB unless directly obtained from the IT department
- Report lost/stolen badges within 12 hours of discovery
- Alert manager if you’ve encountered a social engineering situation.
Make it part of the company cultureImplement a continuous training approach. For many employees, everyday work can cause them to forget crucial security information during trainings. Make social engineering training a part of the employee newsletter, send out regular emails, and put tips on bulletin boards.
If your employees are constantly being reminded to watch out for social engineering and mindful of what information they’re allowed to provide, they will know what to do when an attack occurs.
SEE ALSO: Employee Training in Data Security: What You Should Do
Test your staffIt’s often said that people learn best by doing. Testing your employees gives them on opportunity practice combatting social engineering while helping you see what needs to be improved within your company’s security.
Create a social engineer team and have them test your own employees with some common social engineering tactics. Some things they could do are:
- Pose as a janitor and try to get to a secure room without a badge
- Dumpster dive for sensitive documents
- Leave USB devices around your site and track where they end up
- Try unlocked doors around the backside of buildings
- Pose as an IT person that needs to fix the network and see how close they can get to the server room.
Train employees to be skepticalA skeptical employee is a good employee. Your employees should feel safe to question something if it seems off to them. Create an environment where employees aren’t afraid to report suspicious behavior. Your employees must feel comfortable questioning strangers.
Social engineering should be taken more seriously than it often is.If you don’t already have regular social engineering training in place, begin as soon as possible. Test all of your employees, including upper management.
If you don’t handle it now, you could be paying for it later.
For more information on social engineering and training against it, read the white paper 5 Tips to Train Workforce on Social Engineering.