Control 17.6: Train Workforce on Identifying Social Engineering Attacks

Train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams, and impersonation calls.

Category

Procedural

Purpose

Social engineering attacks are one of the more common and successful types of attacks. This is because they prey upon human tendencies and emotions. Even if not always successful, any successfully social engineering attack can have a tremendous impact on an organization. While these types of attacks are often preventable, they are getting more and more sophisticated and harder to spot. This is why is important for employees to know what to look for and how to spot suspicious activity in their email, over the phone, and even in person.

Social engineering attacks include phishing, spear phishing, vishing, pretexting, baiting, tailgating, and quid pro quo. Phishing is the most common type of social engineering attack, and occurs when an attacker is able to get a victim to perform some action such as disclosing sensitive information like an enterprise password. Another form of phishing will trick the user to navigating to a website that downloads malicious software and subsequently installs it on an enterprise system.

Automation

There are third-party training platforms available which can reduce the overhead of implementing a security awareness program for identifying social engineering attempts. Third-party training platforms are engaging and up-to-date but may be too costly for small organizations.

Guidance and Tools

Social engineering attacks are best defeated by an aware and skeptical employee base. Employees need to be aware of their tendencies and maintain a healthy skepticism of anyone or any communication which is not from a trusted, known party. Holding regular social engineering awareness trainings along with regular corporate communications which show examples of social engineering attacks are good exercises. Conducting role-playing training for employees to be exposed to this type of tactic will help employees respond appropriately in real world scenarios.

  • Google: This high-quality video can be used to train employees on how to Stay Safe from Phishing and Scams.
  • NIST: This high-quality video can be used to train employees on how to identify social engineering attack titled You’ve been Phished.
  • Much of the guidance provides in 17.5 can be useful for this Sub-Control.