I recently touched on the topic of social engineering with the observation that employees who are not equipped to defend themselves against this vector represent an exploitable situation. Hackers can use this weakness to punch holes through even the most robust of IT defenses.
In "Companies Fail Social Engineering Test" last month, I wrote about a recent Defcon social engineering contest that pitted amateur "social engineers" against large, well-funded enterprise companies. The result was somber to say the least: Employees at every single company in the contest gave away information that they shouldn't have. This clearly demonstrates that even larger companies with the resources to spare are not doing enough to patch this void in their defenses. If I were to drive home the point, the above-mentioned businesses are Fortune 500 companies, and include the likes of Cisco Systems, Microsoft, Google, Ford Motor, Pepsi and Coca Cola.
Now, it has emerged that women fared better at the Defcon social engineering contest. Apparently, of the 135 employees targeted as part of the contest, only five doggedly refused to give up any corporate information. And all five were women.
Chris Hadnagy, one of the event's organizers didn't want to elaborate on this when quizzed by Computerworld on why it was so, though Hadnagy was willing to share his observations on the stellar performance of the above-mentioned employees: "Within the first 15 seconds, they were like, 'This doesn't seem right to me,' and they ended the call."
While the full report has yet to be released, some other nuggets of information have emerged about the contest:
From the snapshot of evidence presented, it is clear that the spectra of social engineering attacks are very real indeed. So what are some facts that SMBs need to know about social engineering?
I'll write on this topic again with tips that SMBs can use to help defend themselves against social engineering attempts once the full report becomes available. In the meantime, I am keen to hear if your SMB has implemented any training to defend against social engineering. What are the measures adopted by your company?