Cybercrimes are an ever-increasing threat to individuals, businesses and governments. People typically think of these crimes as blunt attacks, malicious actors hacking into computers and networks by brute, technical force. However, the most insecure component of information security systems is often the human element, not the technical one.
The Verizon 2021 Data Breach Investigations Report (DBIR) notes, “85% of data breaches in 2020 involved a ‘human element.'” Social engineering is a prevalent force behind these attacks. Given this, the human aspect of social engineering attacks and prevention is essential for current cybersecurity efforts.
The online Master of Science (M.S.) in Cybersecurity with a Specialization in IT and Cybersecurity Policy program from La Salle University reflects this focus. The curriculum features comprehensive cybersecurity coursework as well as specialization topics such as leadership assessment and crisis management. These studies are vital in tackling the unique challenges of protecting organizations from social engineering attacks.
What Is Social Engineering in the Context of Cyberattacks?
TechCentral describes social engineering as “the techniques used to coerce or talk a victim into revealing information that someone can use to perform malicious activities.” TechCentral defines a cyberattack as an attempt “to breach an organisation’s or individual’s information system to benefit the cybercriminals financially or cause ongoing disruption to the victim.”
Thus, a social engineering cyberattack attempts to access computer systems and sensitive information by manipulating and taking advantage of people. Criminals (threat actors) leverage gained information to achieve ill-intentioned goals.
Social engineering tops the Verizon DBIR list of prevalent attack patterns in breaches. Basic web application attacks represent the second-most common cyberattack vector in violations and can also originate from social engineering efforts.
What Kinds of Social Engineering Attacks Do Cybercriminals Use?
Phishing is the most common social engineering cyberattack. According to the FBI’s 2021 Internet Crime Report, phishing is the most common cyberattack vectors.
Phishing uses communication channels, most often email, to get people to give up sensitive information, pay the attacker money or unknowingly install malware on their computers or networks. Beyond email, subsets of phishing include smishing (via text), vishing (by phone) and social media phishing.
Phishing messages often include attachments or website links that download malware and access information if a person clicks the attachment. They may trick victims into giving the threat actor access to information, credentials, personal contacts and security vulnerabilities. Access to personal accounts can lead to further distribution of phishing messages, exponentially increasing a cyberattack’s reach.
Cybercriminals may use threats of disclosing sensitive personal information to coerce or extort people. Or, they may pose as a trusted source (a personal contact, colleague, boss, financial institution or service provider) to access information, computers and networks. This is often the case with business email compromise (BEC), where a threat actor may disguise themselves as the organization’s leadership team member. The FBI reports that BEC accounted for $2.4 billion in losses in 2021 alone.
How Can Companies Protect Themselves From Social Engineering Attacks?
Fundamental cybersecurity practices apply to protecting organizations against all types of cyberthreats, including social engineering. Cybersecurity professionals select, design and implement the systems that secure information across an organization’s information ecosystem. They maintain and continuously improve protection systems for an organization’s devices, data, networks and communication channels.
This work involves controlling sensitive data access, integrating multifactor user authentication, using up-to-date antivirus and anti-malware software and implementing cryptographic protocols. Advanced, AI-driven software can continuously monitor security, identify vulnerabilities and rapidly detect and address threats.
Professionals should prioritize security in selecting cloud-based solutions and communication systems, maintaining continuity in protections across hybrid environments. Organizations can back up data securely through an in-house or third-party cloud and off-site colocation, mitigating risk and loss in the case of attack incidents.
However, cybersecurity also involves people. Regarding social engineering, educating end-users at all levels of an organization’s structure is perhaps the most impactful cybersecurity practice. This process is especially pertinent given the social engineering vulnerabilities inherent to remote work environments and multichannel communications.
Leadership and employees should receive regular training on developing cybersecurity practices and the myriad threats and vectors of social engineering. One increasingly common cybersecurity practice is social engineering penetration testing. For example, management should train the staff to identify phishing emails. Then, over the following months, penetration testers send fake phishing emails to the team to test their competence and ability to detect potential threats.
La Salle’s Comprehensive Cybersecurity Curriculum
Unfortunately, an organization’s human assets — its employees — are also its main vulnerability to social engineering attacks. As staff members, consultants, penetration testers or trainers, cybersecurity professionals play a central role in helping an organization’s employees guard against these complex, evolving cyberthreats.
In classes such as Cybercrime, Cyber Warfare, Cyber Espionage and Crisis Management and Business Continuity, graduates of La Salle’s online M.S. in Cybersecurity with a Specialization in IT and Cybersecurity Policy program learn how to anticipate, defend against and respond to social engineering attacks on their organizations.