Stopping the Social Engineer
As with any information security threat, your institution needs to plan for them, and social engineering from outside of your institution needs to be expected. Youâ€™ll be best protected from social engineering attacks against your employees when youâ€™ve set some core controls.
When developing these controls youâ€™ll want to consider the implications of the controls. Donâ€™t let your controls disrupt your institutionâ€™s regular operations, and ensure that the controls are strong enough to stop more than one or two types of attacks that may happen at the same time; these controls should be able to easily spot the difference between a social engineering attack and the regular activity that happens everyday at your institution.
Youâ€™ll also want to have the complete acceptance of your board, the institutionâ€™s management team -- they need to know what part they need to take, ask each of them to help identify what needs to be protected.
Set the security for physical access for everyone across the institution, with no exceptions. Not even your president should be able to get into your computer site or get access to systems without proper authorization. Most institutions have access identification, (badges or some type of identification that must be presented upon entering the facility) which is something that is recommended. Tell your staff to make sure the badge photo matches the person whoâ€™s wearing it.
Make your security policy and procedures crystal clear to everyone in the institution. If in doubt, tell everyone to check with the policy, or better, ask the security department for clarification. Itâ€™s not always hard to ask before, and encourage staff to know the limits of what theyâ€™re allowed to do, especially when it comes to giving out information of any kind.
Security Awareness and Education will solve many of the kinds of social engineering attempts that are tried. Letting your staff know it is okay to question someone as to who they are, and why theyâ€™re asking for a certain piece of information is a good start. A smart institution staff will know to report suspicious behavior immediately. Give your staff a list of things that may help them spot a social engineer at work, run through several scenarios with them that focus on the type of attack their department may be prone to, this will help train the behavior you want in your staff.
Setting up solid security framework through the infrastructure helps the institutionâ€™s staff focus on their work. Setting firewalls to monitor both outgoing and incoming traffic will help your firewall administrator identify when something looks out of the ordinary.
Make public only generic information â€“ doing this limits the amount of area an attack can cover. Your website, public databases, internet registration and other public data sources will show only the institutionâ€™s main phone number and job titles, with no staff names, for example (ABC Financial Institution webmaster, rather than Jane Smith, webmaster).
Create your institutionâ€™s incident response plan. Write it ahead of when the IT is hitting the fan, and let your institutionâ€™s staff have this document. Say a staffer gets an urgent phone call requesting a certain action be taken immediately; the staffer should know exactly what to do, according to the incident response plan. Checking on the callerâ€™s identity and authority is part of the action that should be taken, authorization to perform the request is given, and then everything is done according to your plan.
Build your institutionâ€™s security posture by creating a positive knowledge that information security is up to the individual. Help them by creating security awareness; instruct them how to act when faced with an information security question. Let them know your door is open and that their questions are welcome.