Despite high-profile ransomware, nation-state and supply chain attacks dominating headlines over the past few years, social engineering — and phishing, in particular — remains the top cause of data breaches. In fact, according to CISCO’s 2021 Cyber Security Threat Trends report, about 90% of data breaches occur due to phishing. 

Social engineering attacks are designed to trick, deceive or psychologically manipulate targets into divulging sensitive information, disclosing account information or performing an action, such as sending the attacker money. Bad actors typically exploit current events and invoke tones of fear and urgency to incite the victim to act on their behalf. For example, during the start of the COVID-19 pandemic, security leaders saw a range of social engineering threats — from emails claiming fake news and cures to those asking for donations to fraudulent charities. 

Here are a few of the most common types of social engineering threats:

Phishing: Email-based attacks where the fraudulent sender impersonates a legitimate person (such as a boss, family member or friend) or organization (such as a bank or charity) to gain the victim’s trust and get them to act or divulge confidential information.

Vishing: Phishing attacks that occur over the phone, rather than through email.

Smishing: Phishing attacks that occur through text messages.

Spear phishing: Phishing attacks that target a specific person, group, business or organization.

Social engineering attacks have become increasingly sophisticated over the past few years, not only in the way bad actors craft their content, but also in how they trick victims. Many phishing and smishing attacks now include malicious links or attachments that, when clicked or opened, download malware onto the victim’s connected device. When this happens, the bad actor doesn’t need the target’s help — they can steal information and money on their own. Making matters worse, once the victim’s connected device is compromised, it opens a gateway onto their company network — enabling attackers to move laterally throughout the organization, inflicting damage at every turn.

The solution to social engineering

Social engineering attacks have been around for decades, but their success rate hasn’t diminished in the slightest. This is because, despite being an old threat vector, many people still aren’t aware of social engineering threats and don’t know how to detect or defend against them. In fact, Comcast’s 2022 Xfinity Cyber Health Report revealed that 71% of survey respondents said they’ve heard of phishing, but only 39% said they’d be able to confidently explain it — which likely means the remaining 61% don’t know how to sufficiently identify or protect themselves from this threat.

Knowing this, it seems like the solution to the social engineering problem should be simple: prioritizing employee education, awareness and training. And yet, many companies continue to falter in this regard. 

Building a security culture 

To truly mitigate the risks associated with social engineering — and all threat vectors, for that matter — companies need to build a security culture with employee awareness, education and training at the center. This means moving beyond the once or twice a year check-the-box training sessions and instead ensuring cybersecurity is always present by making it a  fundamental part of business operations and providing continuous learning opportunities for employees. The goal is to have cyber safe behavior become automatic, rather than something employees must stop and think about. 

Building a security culture in this way isn’t easy, and it may take some time, but it’s worth all the hard work. 

Ensure employee education, awareness and training programs are frequent and engaging: Long, cookie-cutter training programs will leave employees bored and distracted, causing them to forget what they learned within a few weeks. Getting creative and making content humorous can engage employees and help them remember important best practices. When it comes to cadence, short and more frequent training will be much more impactful than conducting one or two long sessions each year.

Reward cyber safe behavior: An effective way to promote adoption of safe cybersecurity behavior and boost employee engagement is to implement recognition and reward programs — for example, running monthly contests or rolling out gamification programs. 

Make reporting fast and easy: If an employee detects a threat, it’s a significant step in the right direction. But the true win will be getting them to go one step further and reporting the suspected threat, so, if validated, the security team can notify the entire employee base to prevent others from taking the bait. To incentivize employees to take this action, though, the reporting process must be simple and quick — for example, adding a “one-click” link to an email platform that allows users to forward suspicious emails directly to the security team for review. 

Involve the whole company: Building a strong cybersecurity culture demands a firm commitment from all levels of the organization — from the board and C-suite executives to the mailroom. Regardless of position, each employee needs to understand why good cyber hygiene is so important as well as their specific role in protecting the company from cyber threats. 

Employees are the first line of defense against these — and all — attacks. Building a security culture that has employee awareness, education and training at the center is a great start.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.