The main problems in an organization with preventing social engineering are-
- Large surface area of attack
Social engineering attacks are multi-platform, diverse, and is as big as a problem as the size of the organization. Each and every employee and stakeholder can be “engineered” via email, text messages, telephone calls, social media interactions, and in person. Given large surface of attack (each employee * each medium of attack), the problem at hand is huge.
- Ingenious methods of social engineering
Social engineering in the digital realm is no longer the infamous email from the Nigerian prince. It has developed in creative and ingenious ways. This DEF CON video shows a voice phishing social engineering call which was successful in less than two minutes3–
- Social Engineering is now available on “for hire” basis
Social engineering is profession and is carried out of experts with honed skills.
The below screenshot is of an advertisement which is looking to hire one for $5004–
- Human weakness
The “humane-ness” and the chinks in each person’s armor is what makes them “human” and unlike a digital system which is either 1 or is 0, the possibilities, and permutation, and randomness involved when it comes to humans is challenging.
A social engineer uses various “triggers” to tap into the person’s emotions and get them to divulge the information needed. The human factors exploited could be as varied as greed, lust, fear, pity, friendship etc.
- Inadequate social engineering training
Getting the C-suite executives to understand the importance of social engineering, allocating the required budget, time, and resources, making mandatory the training programs, getting employees to diligently pay attention to training and be vigilant, and coming up with a comprehensive, yet, creative, training material is a huge challenge.