Back to BlogSocial Engineering: The Human Element in Cybersecurity
Have you ever managed to walk into a secure building just by waiting for someone with a badge to open the door, knowing they wouldn’t make a fuss? Or perhaps you told someone you were there for an interview and took advantage of their kindness. Well, then you’ve committed social engineering. The reality is that everyone has it in them to be a social engineer. It’s part of being human. Most people, though, don’t use their powers for nefarious purposes. Unfortunately, cybercriminals do.
Because we’re human, we also have it in us to fall for social engineering schemes. According to a report from Firewall Times, 98% of all cyberattacks rely on some form of social engineering like phishing, whaling, smishing, vishing, baiting, piggybacking, pretexting, honeytraps, scareware, and watering hole attacks. And it turns out small business employees experience 350% more social engineering attacks compared to employees at enterprise-level companies. This means that regardless of the size of your organization, resilience means more than technical and physical protections. Your entire team needs to be part of your cybersecurity solution.
Educating employees about social engineering tactics can help prevent your organization from falling victim to cybercrime. The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) provides guidance for integrating education and communication into your cybersecurity plans, with these benefits:
Governance is not a secret. Some organizations establish cybersecurity governance but don’t share it with their employees. When the entire team understands why governance is important and what it entails, they’re more likely to follow the rules.
Tech can’t handle it all. Your security infrastructure always has the potential of being thwarted by “helpful” employees. If they’re not educated about social engineering tactics, they could unwittingly help a cybercriminal gain access to protected systems.
See something, say something. Employees can be the front line of information security when they’re trained to identify potential threats. Help them learn to spot the unusual and know where and how to report what they see.
Information has value. Business data and customer information can feel routine to employees who work with it every day. Security training helps them understand the importance of safeguarding this information, and what measures they should take to reduce exposure.
Threats evolve. Regular training sessions help employees stay informed about new social engineering threats and adapt accordingly. Ongoing training doesn’t have to take a lot of time. It can come in the form of a memo, video, or lunch-and-learn.
Keep regulators happy. Major compliance frameworks, including GDPR and HIPPA, require strong data protection and cybersecurity. Providing social engineering awareness training helps meet compliance obligations and avoid potential legal consequences.
The NIST framework is a guide for developing and implementing a comprehensive cybersecurity plan that’s flexible for your organization’s needs. It helps you design a plan to address the gap between your current state and your objectives. At the core of NIST CSF are five pillars: Identify, Protect, Detect, Respond, and Recover. Using the framework means exploring each of the five pillars to determine where your organization needs to go next. Here we’ll take a look at the pillars that help address the human element—social engineering threats.
NIST CSF and the human element
Social engineering is a much larger threat to uninformed employees. The NIST framework provides guidance in its five pillars for building resilience among employees and other stakeholders.
Identify. This pillar includes governance—the creation and communication of risk-related policies, procedures, and processes, as well as coordinating cybersecurity roles and responsibilities. A governance plan will include policies and procedures around employee awareness, education, responsibilities, and threat reporting.
Protect. A lot of cybersecurity protection falls under the purview of software, hardware, and physical barriers. But awareness and training is highlighted in the NIST CSF as a main category. This includes making sure all users are informed and trained, and targeted training is provided for privileged users, third-parties, senior executives, and security personnel.
Detect. Properly trained employees can play a part in blocking threats, but only a comprehensive detection and response system will identify and block attacks that slip through—whether due to social engineering or hacking. A security information and event management (SIEM) solution like Blumira will detect unauthorized access attempts and unusual activity.
Respond. Communication is an important part of responding to a cybersecurity incident. The NIST CSF recommends developing communication flows in advance so personnel understand their roles and information can be shared with all necessary stakeholders to contain and mitigate the situation.
Recover. Recovery from a cybersecurity incident includes incorporating lessons learned into the overall plan. This might mean debriefing employees to increase their awareness about vulnerabilities, or changing training modules.
Blumira will never tell you that a robust cloud-based SIEM is all you need for comprehensive cybersecurity. Making security education and awareness part of every employee’s job is a vital first line of defense. But the reality is, attackers are always looking for ways to get in. The Blumira SIEM+XDR solution provides the continuous monitoring, analytics, and automated response that small and medium-sized organizations need to enhance protection, mitigate risk, and meet compliance obligations. Blumira experts will help you deploy quickly, assess the threats you detect, and customize monitors to meet your organization’s unique needs.
You may decide that you’ll need to spend more time developing and delivering employee training in order to address the very real threats of social engineering. The good news is that Blumira saves time for IT teams that are already stretched thin—most Blumira users spend only 15 minutes per day on the platform.
Learn more about how Blumira supports your cybersecurity strategy by trying out our free Blumira SIEM.
This article is part of a five-part series that can help your organization adopt the NIST CSF.