Lynda L. Buel, CPP, CFE, CSC
CPTED Practitioner, President, International Association of Professional Security Consultant
Social engineering is a collection of techniques to manipulate people into performing actions or revealing confidential information.
In many cases, unauthorized individuals use social engineering to target your users into clicking on links in email messages, visiting fake websites, downloading and installing software, and divulging sensitive or personally identifiable information.
Specifically, in a corporate environment, social networks can share information with customers, staff, suppliers, business contacts, investors, etc. It is a common practice for marketers and salespeople to use social networks to engage in communications with customers.
Considering most communication is performed electronically, hackers can pose as an imposter on a social network to entice users to perform actions, disclose trade secrets, click on links to sites with malware, and much more.
A shared responsibility
When it comes to social engineering, users have a responsibility to protect sensitive and confidential information. To make sure that you are protected from social engineering, some tools may include, but are not limited to, security training, spam filters, firewalls, and protection software.
Social networking policies and procedures should require settings that protect users and the organization from internet threats. Below is a list of examples that can protect users from social networking threats:
- Visibility: Change the default setting to restrict access to a user’s profile, so that “just friends” have viewing rights.
- Contacts: Configure the settings to ensure the network is not shown on the user profile page.
- Applications: Disable public search results, which will prohibit search engines from accessing posts.
- Photos: If settings are not set appropriately, tagged photos can be seen by others. Restrict access to photos by configuring the privacy settings.
- Posts: Create a procedure to monitor any staff postings to ensure no sensitive information is disclosed. There are tools available to analyze data on thousands of social networking pages.
Network security audits can help ensure the organization’s assets have the correct security controls in place. In addition, social engineering security assessments can help protect your sensitive data and intellectual property by evaluating and measuring the effectiveness of your employee security education training.
Documented policies can help manage security risk from a top-down approach by having the appropriate measures in place.