Social engineering: beyond awareness

Social engineering is the topic of our latest security awareness module, delivered to customers over the weekend. 

Given that awareness is a means to an end, not an end in itself, we took the trouble to explain what social engineering is and how to respond if employees think they might be being socially engineered - in other words both informing and motivating them to behave differently.

Picking up on a suggestion from DEFCON 2013 to encourage critical thinking, the awareness materials aim to get people to think about what they are being asked before responding. Simply knowing that the requester might not be who they claim to be, and that the request might not be legitimate or appropriate, could be all it takes to avoid falling for a scam. The trick is first to learn how typical social engineering attacks take place, and then to recognize the warning signs, the red flags as we call them - but even that is not enough: employees need to know what to do next if they spot the red flags. What is the correct response: slam down the phone or delete the email? Report a security incident? Provide false information? Or perhaps play along, probing the requester for more information? It's not entirely obvious what to do, and since it is context-dependent, it's not easy to define a simple, fixed process. 

Furthermore, if a legitimate business inquiry was misinterpreted as a social engineering attack, responding too harshly could damage the relationship and harm the business.

The line we took in the module is for people to refer suspected social engineering attacks to specially-trained individuals for further investigation. Specifically, we are calling on 'front line workers' who deal with strangers, visitors, inquiries and queries routinely - all day every day. Front-liners are well-practiced at distinguishing various unwelcome inquiries and unauthorized or inappropriate requests from genuine business contacts. Most know instinctively how to deal with them, but a little training on social engineering puts the icing on the cake.

What does your security awareness program say about social engineering? Does it explain the red flags and encourage critical thinking? Or could your awareness program do with a booster shot?