Many organizations will also need to improve the physical security of their facilities. Preventing social engineering attacks, also include
- Do background checks when hiring employees.
- Screen temporary and ancillary workers.
- Set up a clear reporting process for security problems.
- Open the lines of communication between physical security and the IT department.
- Monitor employee behavior patterns for abnormal activities and access violations.
- Lock out terminated employees immediately.
- Create a positive work environment, which will cut down on disgruntled employees.
- Publish a formal written company policy stating that the IT department will never ask for a user’s password.
- Require ID badges for employees and mandate that an employee with a badge accompany visitors.
- Use different logins for each service and secure your passwords: Never use the same password for all services. And make sure your passwords are strong and complex so they’re difficult to guess.
- Use two-factor authentication: This makes it harder for thieves to get into your account, even if your username and password are compromised.
- Get creative with security questions: The additional security questions websites ask you to fill in are supposed to be another line of defense, but often these questions are easily guessed or discoverable (e.g., where you were born). You can shift the letters into uppercase and lowercase and use numbers also to create a leet word to make sure only you know those security answers.
- Use credit cards wisely: Credit cards are the safest way to pay online (better than debit cards or online payment systems like PayPal), because of their strong protections. If you use a debit card and a hacker gets access to the number, your entire bank account could be drained. You can further secure your credit card by not storing card numbers on websites or using disposable or virtual card numbers.
- Frequently monitor your accounts and personal data: To be on the lookout for both identity theft and credit card fraud, check in with your account balances and credit score regularly. Several services offer free ID theft monitoring, credit monitoring, and questionable credit charges. You can even use Google Alerts as an identity theft watchdog.
- Remove your info from public information databases: Sites like Zabasearch and People Finders publish our private information (like address and date of birth) online for all to see. Remove yourself from these lists with this resource.
Organizations reduce their security risks by:
- Establishing frameworks of trust on an employee/personnel level
- Identifying which information is sensitive and evaluating its exposure to social engineering and breakdowns in security systems (building, computer system, etc.)
- Establishing security protocols, policies, and procedures for handling sensitive information.
- Training employees in security protocols relevant to their position.
- Performing unannounced, periodic tests of the security framework.
- Reviewing the above steps regularly: no solutions to information integrity are perfect.
- Using a waste management service that has dumpsters with locks on them, with keys to them limited only to the waste management company and the cleaning staff. Locating the dumpster either in view of employees such that trying to access it carries a risk of being seen or caught or behind a locked gate or fence where the person must trespass before they can attempt to access the dumpster.
Social engineering attacks are elusive and can have very damaging consequences for an organization, but you can take a number of steps to mitigate such attacks. By increasing users’ awareness of social engineering techniques and setting up commonsense business processes, you can change the culture of your organization to guard against these attacks.