Trust everything less: the 3-step social engineering defence

The ease with which people can be manipulated is often staggering. We see it in our lives on a daily basis, but might not pay it much attention. Take a moment to think about the objectively absurd things you’ve seen people do. People can be convinced, tricked, and nudged into doing almost anything. They can also often be bought. 

Human error is a concern for every single business on the planet. Companies dedicate tons of resources—both financial and human—to error risk mitigation. Training, tools, safety equipment and procedures all help people make fewer mistakes. Human credulity should be treated the same way. Why? Because, again—the ease with which people can be manipulated is staggering. 

That’s why social engineering is an increasingly popular attack vector. The recent Twitter attack showed that no company is immune. But we all should’ve known that by now. Whether it’s a data breach, phishing scam, or a DDoS attack, companies can’t ever be satisfied with their preparation efforts. 

We sat down with our Chief Technology Officer Juta Gurinaviciute and asked what companies can do to stay safe.

“At the end of the day, you’re never going to fully protect yourself. Unless you’re operating within a fully isolated and automated network, there’s just no way to adequately defend against all attack vectors simultaneously and continuously.”  

That’s frightening, but a reality. Enough of the pessimism, though—let’s go through how your company can defend against social engineering. 

How can my business defend against social engineering?

Businesses need to focus on education and drop the ego at the door, says Gurinaviciute. 

“If you approach information security thinking ‘my team would never fall for anything like that,’ you’ve already lost the battle. Hackers are trying to get into your systems all the time. We had a server once where we saw over 75,000 malicious attempts to gain access in a single day.” 

So we’ve dropped the ego and realized nothing can be trusted. The next 3 steps will ensure your company is doing what it can to protect its livelihood.  Step 1—DevSecOps is the way to go Philosophy can have such a huge impact on your employees’ actions. If people are invested in information security as a priority, they’ll generally make better decisions. 

Take action to ensure you follow a DevSecOps philosophy of collaboration and security-first product development. This could mean installing the philosophy as a shared company ideal or simply committing to build more security into future features. 

Step 2—Patch it or send it to hardware heaven Hardware is vulnerable and needs to be patched regularly. Software is vulnerable and needs to be updated regularly. It’s really that simple.  Step 3—Your employees’ passwords are terrible The truth hurts, but the beloved system of adding a number after that cool word you like or your favorite basketball player’s name doesn’t work. How long it takes to crack a password like MJG0AT!23 might surprise you. 

“It depends. For some, around 10 minutes. An experienced hacker might need about 3-4 [minutes],” Gurinaviciute said. 

The point is—don’t trust your employees to use strong passwords. Make password managers mandatory, and always use two-factor authentication when available. 

Choosing solutions with multi-factor authentication is just smart business. We’ve established humans are bendable. We’ve established many passwords are but a minor inconvenience for an experienced hacker. Add the extra layer of security and sleep a bit easier. 

You’re not safe—but are you ever, really?

Cybersecurity is like life. It’s overwhelming, full of chaos and joy and confusion, and requires countless safety precautions to survive. Following these steps will help get your company to where it needs to be—constantly working to stay safe.