Social engineering can be difficult to deal with. People inherently want to give out information, especially to Human Resources or the executives. Ira Winkler and Brian Dealy have written an excellent paper, available here. In this article, I want to unpack some of the security implications, and reiterate the “lessons learned” for my readers.
Ok, so what is social engineering? Social engineering is a special kind of cyberattack where the attacker doesn’t have to gain access to your systems first. Instead, they pretend to be someone trustworthy in your organization and just ask employees for the information they need to hurt you. They can spoof email or gain access to the phone systems, but at the end of the day the attack vector is not through technology, but through people. Great, so how do you stop them? The short answer is education. The longer answer is below.