Using the Easy Button™

Last month, we posted our blog explaining the staffing shortage in the information security (InfoSec) industry. It can often take three to six months to fill a vacant position, and 27% of companies fail to recruit the talent they need. Some companies may even rush to fill a position and end up hiring the wrong person, which sets them back even further. Filling a role with a qualified candidate who has social engineering experience and required technical skills can be an even bigger challenge.

Finding a Solution

What is the solution to this problem? You can partner with experts who will work in tandem with your existing security team. At Social-Engineer, we design customized security programs that simulate attacks based on the four main attack vectors: vishing, phishing, SMiShing, and impersonation. More than 80% of all data breaches involve social engineering tactics, so companies need to test their staff via these attack vectors. We will show your threat defense maturity against these attacks and how your staff improves each month.

Common Attacks We See (and Use!)

Here’s a very common example of a vishing attack that we see every day. An employee gets a phone call from another employee in the company and asks if they’re also having trouble connecting to the internet or a specific internal website. Or, what if the request is for which version of Windows they’re using? Will your employees know what to do and, even more important, will they report it?

If you don’t know how your employees will handle a phishing email, we can start with one that is very easy to catch and if they don’t, give immediate feedback on things to look for. We can then progress to a phishing email that might not be completely obvious that it’s phishing and follow the same steps. Again, the goal is to see improvement in the recognition and reporting rate, so you can be aware of these attacks earlier and take steps to stop them.

Do you have physical vulnerabilities at the office? Are your employees too trusting or unaware of company policy on what to do when they see someone they don’t recognize or can’t validate? What will they do when that very nice person joins them out back for a cigarette break, seems to have all the company lingo down, but doesn’t have a badge ready to get back into the building? What is the company’s policy on how to handle that and will people follow it?

Benefits of Partnering with Social Engineer

How do we approach education for these situations at Social-Engineer? Let’s say you wanted to learn boxing. On the first day, you wouldn’t get in the ring with the heavyweight champion and expect to win, right? It wouldn’t go well, and you’d likely quit. Instead, it’s safer to first be shown the basics; how to stand, how to move, how to protect yourself. That’s what we do with social engineering. We’ll show you how to protect yourself and create a good awareness program. Then we’ll start testing, graduating staff through specific levels of your customized phishing and vishing program. As people show they can handle the challenge, we’ll move them up to a slightly more difficult level. Each month, you get a report showing the progress that your employees have made. We refer to this as our Levelized Program, and we frequently see our clients enjoying huge success with it.

Let’s face it, we know that a phishing attack will be successful, and data on click rates might be valuable. However, it is not the most important metric. We would rather see a high rate of reporting, so you can quickly react to the threat. Therefore, we focus on education and metrics that show improvement over time. We work with you to show that your education is working and, if it is not, we can provide programs to help.

Fixing the Shortage of Information Security Professionals
Our customized, managed services advance your social engineering awareness program. We create campaigns to show you what types of social engineering attacks will work in your environment. But the more valuable part is educating your staff and showing monthly metrics of this improvement as a strong return on investment (ROI).

Sources:
https://www.social-engineer.com/shortage-of-information-security-professionals/
https://blog.isc2.org/isc2_blog/2018/02/cybersecurity-hiring.html
https://www.social-engineer.com/