Social engineering is the process of obtaining information from others under false pretences. It is based upon building an inappropriate trust relationship and can be used against employees, particularly those within organisations where sensitive assets or information are held. For example, it could be an attempt by an unauthorised individual to gain entry to a site, to gain access to an organisation’s secure IT systems, or to persuade someone to share some protected information, using a bogus pretext.
NPSA have produced guidance - Social Engineering Guidance for Employers: Understanding the Threat - to advise security managers about the threat of social engineering and what steps they can take to mitigate this. To help organisations with this endeavour NPSA has also created a complementary campaign entitled 'Be Savvy about the Social Engineer' which has been developed to help organisations educate their employees about social engineering.
Hostile actors use a range of tactics and techniques which are evolving all the time. However, organisations can help to reduce their vulnerability to a social engineering attack by educating their staff to:
- be alert to the social engineering threat
- raise an awareness as to the types of approaches they might come across
- remind themselves of the importance of following good security advice
The campaign aims to raise awareness about what social engineering is, what an approach might look like, and how staff can better protect themselves against this type of threat.
Be savvy about the social engineer
This NPSA campaign addresses these six key issues:
- encouraging employees to use common sense when they encounter something unusual or suspicious (e.g. an unusual telephone call, email, or social networking invite)
- verifying the details of unknown suppliers or customers before disclosing organisational information
- thinking about what information is shared outside of the organisation and whether this is too much
- checking whether email addresses from unknown senders are genuine or bogus
- being alert to phishing attacks and being careful not to click on malicious links or attachments
- not being pressurised to make decisions when being put on the spot without first checking security policy
The campaign materials consist of the following
- guidance for employees: ‘Be savvy about the social engineer’ – This includes a short quiz for staff to test their knowledge levels
- 3x posters: demonstrating different forms of social engineering. These are on email, in social situations and in the workplace
- video for employees: an engaging animation for employees that takes them through a social engineering scenario and what to look out for
- checklist for employees: practical advice for employees on how to protect themselves from social engineering in the workplace, particularly when using IT
- a social engineering flyer: can be used to introduce the concept of social engineering to employees, such as at the beginning of a campaign.
- full guidance on how to run the campaign is also available
- an evaluation guide is also available for an internal security behaviour campaign
Be Savvy About the Social Engineer
No dialogue, background music playing