Edition One
It's personal.
A view from The AntiSocial Engineer’s Richard De Vere
Watch the video, and you’ll understand why I’ve made it my life’s work to help prevent people from falling victim to social engineering attacks.
At one point in the video, I’m asked “Who is affected most by social engineering attacks: organisations or people?”
For me, there’s no real distinction, because organisations are made up of people. But this question highlights an interesting dynamic: how are people in organisations affected when their actions – for example responding to a phishing attempt – are directly or indirectly responsible for a data breach?
When these attacks make the headlines, their impact is typically measured in business terms, and focuses
on areas like operations, financial losses and the amount of data that was stolen. But we seldom see coverage of how the individuals who’ve been tricked were affected.
Attack tactics are wide ranging and can include phishing emails or SMS, convincing phone calls, simply helping oneself to documents left on desks and more.
Attackers rely heavily on typical human behaviours and exploiting personal angles, and so the resulting impact on the individual’s confidence, self-esteem and reputation can be devastating.
Proactive protection
I believe organisations should think through these potential scenarios, and that education and training has a pivotal role to play in protecting against the fall-out from a successful attack. But I also believe that mitigating the risk of social engineering means making sure training is delivered in the right way – so that people actually absorb it.
In my view, the only truly effective way to do this is to put examples into a relatable context so people can identify with them personally. If these issues are discussed in ways that employees can easily recognise, both as individuals and as part of an organisation, we can prevent people taking an “us and them” view of social engineering attacks.
Bring human hacking to life
For example, your training programme can show how a social engineer might try and steal people’s bank or credit card details, and how that would affect someone personally. But it can also highlight the organisational impact on individuals – for example if a company was forced to make redundancies if it suffered a big financial loss as the result of a data breach.
Unfortunately it's not just as simple as patching a human. But I believe we can go a long way towards tackling this issue with clear and relatable education that minimises the impact of human hacking on both organisations and the individuals who work for them.
