Prevention and Mitigation of Social Engineering Attacks

Prevention and Mitigation of Social Engineering Attacks

Sometimes after I give a speech or security training, people will look very paranoid and scared and say something like, “It just seems there is no hope to even attempt security. How do I do it?”

 That is a good question. I promote having a good disaster-recovery plan and incident response plan because nowadays it seems that it is not a matter of “if” you will get hacked, but “when.” You can take precautions to give you at least a fighting chance at security.

 
Social engineering mitigation is not as easy as ensuring hardware security. With traditional defensive security you can throw money into intrusion detection systems, firewalls, antivirus programs, and other solutions to maintain perimeter security. With social engineering no software systems exist that you can attach to your employees or yourself to remain secure.

Security awareness is not about a 40-, 60-, or 90-minute program once every year. It is about creating a culture or a set of standards that each person is committed to utilizing in his or her entire life. It is not just about work or websites deemed to be “important,” but it is the way one approaches being secure as a whole

Top six steps I tell my clients they can take to prevent and mitigate social engineering attempts:

1. Learning to identify social engineering attacks
2. Creating a personal security awareness program
3. Creating awareness of the value of the information that is being sought by social engineers
4. Keeping software updated
5. Developing scripts
6. Learning from social engineering audits