Hardening your environment to resist social engineering attacks, especially targeted ones, is more a matter of training than a regular security control. Social engineering attack goes right to the weakest point in an organization’s protection: its employees.
People make choices every day that affects or even compromise implemented security measures. Every con man understands that there is a sequence of words or actions that will get almost anyone to unknowingly make an action or expose data they shouldn’t. This is because most people do not understand the risk of their actions. Failure to perceive the risk until it is too late is at the heart of most SEAs (social engineering attacks).
Bank workers know that they are working in an environment that needs security and attention. They probably don’t have to be warned of the threat of robbery; they are aware of it and understand the risk of being stolen is very real.
Sadly, the level of awareness is not the same in most corporate environments. Workers typically see the threat of a SEA to be hypothetical and unlikely, even if they have been cheated in the past.
The best protection against social engineering attacks is awareness training and simulated targeted attacks. A complete program will help employees understand the value of the assets being protected as well as the costs associated with a breach.
