For hackers, ethical or the bad kind, social engineering is an art. It involves convincing people to give up confidential information. Typically, executives and their assistants, systems administrators, and technical people are common targets because they tend to hold valuable information.
Security policies of an organization are only as strong as the weakest link, and the human factor is always that, the weakest link. It's human nature to trust and that aspect can be easy to exploit. There's no way to ensure complete security from social engineering. No specific hardware. No specific software. And it's difficult to detect and stop social engineering attempts.
Some human behaviors that make social engineering effective are:
- It's human nature to trust
- Ignorance about social engineering
- Fear of not complying to "the boss" or "urgent" requests
- Promises of getting something for nothing (think Nigerian prince)
Hackers begin their social engineering attacks by researching the company they want to hit. The popularity of social networks such as Facebook, LinkedIn, Instagram, etc., has made hackers' work extremely simple. People post personal information without a second thought, which is ammunition. Company websites also post valuable personal details about executives and company activities. Dumpster diving (taking your trash after you've put it out for collection), while not glamorous, can yield a wealth of information.
Education and training is key and critical as a first line of defense against social engineering attacks. People have to be trained on the many ways a social engineering attempt can start, and be taught how to identify the red flags and react to them (or not react to them).
You can have the best most expensive network infrastructure and security equipment. They're almost useless against serious social engineering attacks.
Cybersecurity awareness training has to be front and center in any company. This training can become life skills for employees in their personal lives.