When we are talking through social engineering with a potential or current client, we notice that many times, the client will respond with some variation of “I already know my users are going to fall for it.” If you already know your users are going to fall for it, what’s the point of a social engineering engagement? Why bother? What benefit will that provide? I would argue yes, social engineering is still really important for several reasons. In this blog, we will explore some of those reasons.
Argument 1: Threshold
Even if you know your users are going to fall victim to social engineering, it is very important for you to understand what that threshold is. In other words, they may fall for a very sophisticated ruse that impersonates an insider and creates a mirrored website that looks just like one of yours, but will all employees fall for the infamous “Prince of Nigeria” mass phishing emails? During a social engineering engagement, we start with sophisticated attacks that are successful around 90% of the time, and then reduce sophistication and complexity in each of the subsequent campaigns. The idea is to measure the threshold at which your employees will fall for it.
Why is this threshold important? Two reasons. First, it will help you to make data-driven decisions to protect what is important to your organization. If your users are really susceptible, then perhaps you need to assume they will be compromised and spend more time and resources on finding ways of detecting an attack or preventing an attacker with a foothold from escalating. Further, if it is one department that is more susceptible than others (sorry Marketing, it is usually you), you can separate them into their own VLAN and use strict ACLs to provide very limited access to internal resources. The second reason you’d want to know what that threshold is, would be to measure improvement in your user awareness from year to year. By knowing your threshold, you can track your progress and hopefully see that your training efforts or technical controls are making a difference in your security posture.
Argument 2: Impact
Another great reason to consider a social engineering engagement is to help understand the risk and impact associated with a successful attack. What happens after that employee clicks the link? Can an attacker go from that employee clicking a link to taking over your network as a domain administrator? Can they get to your “Crown Jewels” or whatever sensitive data you are trying to protect? A social engineering engagement will help answer all these questions. As with knowing the threshold, knowing the impact can help you better align your security resources based on the results. Also, by demonstrating the impact, it is much easier to get organizational buy-in for some security initiatives that might otherwise go unfunded or unapproved. For example, the easiest way to justify multi-factor authentication on your VPN is with a report showing an engineer emulating an attacker and logging right into it with a password stolen from social engineering.
Argument 3: Awareness
My third and final attempt to convince you that, even if you know your employees will fall for it, there is still a point to a social engineering engagement comes down to higher quality security awareness training. We offer awareness training, and we love to do it right after a social engineering engagement. The main reason for this is that it really helps to present the exact scenario your employees fell for, including screenshots and videos. We hide all the details about which individual fell for it, as the point of this is not to name and shame individuals. But showing your employees that the threat is real can really open their eyes and get you more buy-in for changes in the organization that may have to occur. Additionally, by pointing out exact warning signs from the campaigns we used, it helps add realism and fosters understanding of what sophisticated attacks look like in the wild, and when they should be concerned.
We hear all the time from customers that their employees are less vulnerable after the training, and a lot more likely to report suspicious behavior. Even if you don’t use us to perform your awareness training, we encourage you to use our social engineering report to inform that training. The screenshots and statistics included in our report will likely add some extra value. Showing your employees a realistic attack that is indicative of the types of threats they are likely to encounter will help.
In summary, even if you know your employees will fall for it, there definitely still a point of a social engineering engagement. First, you need to know the threshold of your user awareness so hopefully you can improve their detection or align your resources accordingly to protect from further damage. Second, you need to know the impact a successful social engineering attack could have on your organization, which can help you get buy-in to make additional changes to your security. Finally, you can use the social engineering engagement to bolster your awareness training. By improving the quality of your awareness training, you can further increase employee detection rates, improve employee response, and ultimately reduce the impact of a compromise.