Originally published by Schellman.
For as long as the concept of cybersecurity has been around, much of the focus has centered on sophisticated technical controls—firewalls, password strength, network segmentation, endpoint protection, encryption, etc. And while implementation and regular testing of all these measures does better safeguard your organization, you also need to secure your people. In that, a social engineering campaign can help immensely.
As cybersecurity assessors, we can attest that shoring up the human element of such is just as important as making technical implementations, and real-world incidents will help us prove that to be true.
In this blog post, we’ll dive into why having social engineering campaigns performed is actually a key aspect of your cybersecurity as well as the benefits of testing your employees in this way so that you can ensure your protections have the breadth they need to against an ever-advancing threat landscape.
Social Engineering Campaigns as a Cornerstone of Your Organization’s Cybersecurity
Among many other types of cyberattacks, social engineering is defined as using psychological manipulation to trick them into making security mistakes or giving away sensitive information—that’s what bad actors will do to trick your people and subsequently harm your organization.
But you can also choose to deliberately engage experienced and qualified penetration testers to shape an attack that targets your people before a criminal tries, and here’s why that’s an important investment to make—social engineering campaigns do the following:
- Provide Insight into the Human Element: These exercises that simulate the exploitation of trust, curiosity, fear, or other emotions—as an attacker would—will help identify how vulnerable your organization’s personnel are to such tactics so you can then train them specifically to recognize and respond appropriately to suspicious activities and reduce the likelihood of successful real-world attacks
- Strengthen the Effectiveness of Technical Defenses: You may have implemented measures such as firewalls and encryption, but how helpful will they be if a bad actor manipulates an employee into providing login credentials or clicking on a malicious link, thereby circumventing those protective investments?
- Reveal How Your Organization Would Respond to a Breach: A social engineering campaign can help you improve your incident response, given that it’s a real-world scenario simulation. You’d gain insight into those previously established procedures to understand if they’re effective in reality—not just in theory—and this insight into how an attack might unfold will allow you to refine your responses to minimize damage in the event of a real attack.
3 Recent Cyber Incidents That Prove the Importance of Social Engineering Campaigns
So yes, social engineering campaigns are a vital component of any robust cybersecurity strategy, and if you need further proof, look no further than three recent breaches that were the result of unaware personnel.
1. Uber
Popular ride-share service Uber also suffered what was described as a “total breach” at the hands of social engineering in 2022. After an attacker gained access to an employee's Slack account, they sent a message to other Uber employees, claiming to be from the IT department and asking for credentials, which were provided, allowing the hacker to access email, internal tools, cloud storage, and code repositories.
Ironically, Uber runs a bug bounty program where they pay hackers to discover weaknesses in their system, but social engineering attacks were left out of scope.
2. Twitter
Back in July 2020, cyber criminals targeted Twitter employees using phone-based phishing (vishing) tactics to convince them to give up credentials for the company’s internal tools. The attackers then leveraged those tools to take over high-profile accounts with millions of followers, post a cryptocurrency scam on those accounts, and reap over $100,000 in Bitcoin from unsuspecting victims.
The incident led to a significant public outcry, forcing the social media app to temporarily lock down all verified accounts. A congressional hearing on social media security was also prompted, as the breach raised uncomfortable concerns—while the hackers here only wanted money, what would stop someone worse from doing the same to instead spread lies about national emergencies or elections?
3. American Airlines
In 2022, American Airlines reported that hackers had run a successful phishing attack to trick AA employees into divulging login information, which the attackers leveraged to gain access to sensitive customer data that included passport numbers and driver’s licenses.
While the company claimed that only a "very small number" of customers were affected and that there was no evidence of misuse of the accessed data, public outcry regarding the airline's ability to protect customer data affected stock prices and consumer trust.
5 Advantages of Having a Social Engineering Campaign Performed
Waiting for criminals to perform social engineering on their people didn’t help those companies, but proactively engaging a third-party security firm to do so ethically can serve your organization in several ways.
1. More Comprehensive Vulnerability Acumen
Of course, the primary benefit of undergoing one of these prepared attacks is, as we mentioned earlier, the insight you get regarding oft-forgotten potential security susceptibilities in your employees. A social engineering campaign will reveal how vulnerable they are to manipulation, including how likely they are to fall for:
- Phishing (in its many forms);
- Pretexting;
- Baiting; or
- Scareware, or other common social engineering tactics, depending on what you’d like tested.
Not only that, these campaigns can also reveal weaknesses in your processes—things like poor verification procedures or inadequate security protocols, which might also be exploited by attackers—as well as whether employees are following existing security protocols.
You could learn whether your personnel really aren’t sharing passwords—as they shouldn’t be—or if they’re being cautious about unsolicited communications. With all this unique information, your organization can then refine existing policies and procedures to better protect against threats, including those in the form of social engineering.
2. Higher Security Awareness Within Your Organization
Though a campaign in itself also serves as security education of sorts, given that the simulation of various tactics used by attackers will help employees more ably recognize them so they can avoid falling victim, after a campaign is complete, you can also use the results to better train employees.
Further training raises and maintains awareness, and this continuous exposure and instruction can lead to a stronger security-focused culture where staff are more vigilant and proactive about safeguarding the information in your charge.
3. Better Protected Reputation
As the corporations noted above—as well as many others—unfortunately know, breaches or cyber incidents of any kind can damage an organization’s reputation among customers and investors, and their trust may be difficult to win back.
However, by identifying and mitigating risks early through a proactive and deliberate social engineering campaign, you can not only better protect your standing in the market, but you can also demonstrate that you are actively making efforts to test and fortify your defenses, which can actually strengthen trust between your organization and its stakeholders.
4. Reduced Risk of Financial Fallout
In the same way, social engineering campaigns can help prevent unexpected and costly expenditures that are often the result of security breaches. By exposing and addressing the vulnerabilities discovered as part of your campaign, you’ll position yourself to better avoid what could be significant financial loss due to repercussions for data theft, regulatory fines, or legal action.
There may even be a case for additional savings through better terms or lower premiums for cybersecurity insurance, as demonstrating a proactive stance on security can sometimes help during negotiations with brokers.
5. Compliance Boost
Depending on your business, your sector could require regular testing of security measures that includes vulnerability assessments and social engineering tests, and so, of course, undergoing a campaign of this sort could help you meet those obligations.
More than that though, conducting a social engineering campaign demonstrates a unique due diligence regarding your protection of sensitive data, as the results of one can be documented and presented as part of an audit trail—such evidence that you’re actively monitoring and improving your security measures can also help reduce potential penalties in the event of a breach.
Get Started with a Social Engineering Campaign Today
While recent incidents demonstrate the persistent threat that social engineering poses, even to well-defended organizations, a well-executed, ethical campaign can be an invaluable tool in safeguarding against it. That being said, there are more advantages you can gain from having this type of test performed, including improvements to your overall security posture and reduced risk of fallout in multiple areas.