Chances are that most of the people you know are good, trustworthy people. You might not want to do coffee with grouchy Tim from accounting, but you could probably count on him not to walk off with any of your belongings if he passed by your office and noticed something you left lying around.
To the adept social engineer, the fact that most people are trusting and helpful is a blessing. It’s what allows them to take advantage of, and blindside, just about anyone — from receptionists to C-level executives. And it’s how they infiltrate even the most secured networks and weasel information out of the most guarded systems with ease: by enlisting the help of one or two unwitting assistants on the company’s payroll.
We humans are far easier to manipulate than a properly configured firewall or a comprehensive endpoint protection tool set. Think about it — it takes less time to dupe someone into handing over his or her passwords (often just a matter of a conversation or two, in which trust is built and then exploited) than it does to brute force attack a 10 digit password (in case you were wondering, that takes 4 months).
Employee Awareness Training is the Key — Or is it?
To try to compensate for the human factor, companies turn to employee security awareness training programs. The idea behind these programs is to get employees to the point where they can spot a bogus email or out-of-place miscreant a mile away. With this heightened awareness, companies hope to prevent social engineering from getting the best of their employees and their data.
Education is fantastic; any attempts to raise employee awareness should be duly lauded. Security awareness training can greatly reduce the success rate of attacks commonly associated with data breaches like phishing. Now your employees know better than to fall for the“Windows Tech Support” scam and they probably also realize that poorly worded emails proclaiming that they have won Google’s/Microsoft’s/Apple’s grand prize are bunk and should be deleted and reported.
Human Error Will Always be a “Thing”
Here is the problem; Education can only go so far when the enemy is human ingenuity. Attackers are always on the lookout for new ways to con and breach, both on the human and machine level. So while your employees know to steer clear of some of the more obvious phony emails, they may not suspect that the resume that just landed in your HR inbox is actually just a malware-laced attachment. It probably took the attacker just a few minutes to scrape the relevant email address and an actual job opening off your Careers page, and use that information to craft a highly plausible spear-phishing email. In fact, in the last few years more than a few organizations have been duped by attackers who leveraged this technique to breach the corporate network.
Employee education wouldn’t have prevented a diligent HR person from opening that attachment – by opening it, they were simply doing their job. Moreover, even if employees are doing significantly better than they were before, a single slip up is all it takes to open the door to infiltrators. When it comes to protecting your network, you need as close to a zero margin of error as possible – anything less isn’t actually protecting your network.
Education + Browser Isolation
The truth is that no matter how much training you provide, people will always make errors. Maybe it will be the new guy, who wasn’t around for the last awareness seminar, or maybe it’s an overly eager marketing associate looking for new leads — whatever the case, people will always be vulnerable to social engineering. This is why it’s critical to minimize the degree to which security relies on users’ imperfect decision-making capacity.
Technologies that employ a zero-trust security model, such as Remote Browser Isolation, are key to ensuring that even when users make an all-too human lapse in judgment and click on the “wrong” links, your networks remain uncompromised.