30 Mar Social Engineering: how to increase awareness and HR’s role in addressing this ever-increasing security threat
Cybersecurity has become an issue that companies can no longer ignore. In fact, modern society today is so fully integrated in a digital ecosystem; to the point that it has obvious implications for the business activities of companies and the interests of consumers. As such, there is a clear need for companies to adopt a concrete cybersecurity infrastructure that has the dual function of protecting the rights and freedoms of consumers as well the business interests of the companies themselves.
One important element that needs to be implemented to ensure a strong cybersecurity foundation is an information security management system which would allow companies to ensure the confidentiality, integrity, and availability of the data they process. However, an approach to cybersecurity that only focuses on external threats would undoubtedly be limited and insufficient. In fact, even though it may seem counter-intuitive, many threats to cybersecurity are very often caused by company employees.
The human factor
As pointed out in a recent report published by Verizon, a large portion of cybersecurity incidents – almost one in every five cases – arises from the carelessness and/or inexperience of the employee, often dictated by distraction, poor motivation, and inadequate preparation up to the hypothesis of misconduct caused by the so-called “burnout“, i.e., a real exhaustion of the employee due to excessive workload.
Furthermore, according to research conducted in 2018 by the Information Security & Privacy Observatory of the Politecnico di Milano among the different types of vulnerabilities that increased the risk exposure of the surveyed organizations, distraction and low employee awareness was found to represent the highest risk for 82% of companies.
In the internal context of a company, the main source of risk comes from social engineering attacks, a particularly sophisticated form of attack that aims at deceiving an employee for malicious purposes such as stealing their identity or personal data or even enticing them to do something malicious. Social engineering attacks can be considered as a technique of “manipulation” of people, which – unlike other cyber threats – does not exploit the weaknesses of information systems, but rather the weaknesses and naivety of human beings, thus circumventing the digital infrastructure security perimeter of the company.
In social engineering, the attack phase is preceded by a phase of information gathering, in which an in-depth study of the victim is carried out, analyzing his personality, habits and behaviors. Similarly, when the target of the social engineering attack is not a single person but an entire organization, the object of the criminals’ study will be the collection of as much information as possible, available from various sources (company website, social networks, social data, documents available on the network, etc.), in order to have a detailed understanding of the target company and the behavior of its employees.
Once the information gathering phase has been completed, the actual social engineering attack phase can be carried out. This can be done through several different attack vectors (phishing, baiting, pretexting, trashing, etc.), all achievable through the exploitation of weaknesses inherent in the “human” component of a company’s work organization.
HR’s role to increase Security Awareness
In adequately minimizing the risk that these attacks can pose to a company, Human Resources (HR) plays a key role in the context of risk management. In particular, HR needs to guarantee, together with the IT and other departments, the security of the company against cyber threats.
In general, the relevance and importance of the HR department to a successful business is easy to see. In fact, it contributes to the growth and cultural evolution of a company in many ways. For example, one can think of the activity of recruiting workers, which allows the company to become known on the market or even the activity of defining remuneration, which coveys to employees how much their contribution to the company is appreciated. Simply said, HR plays the role of “presence” within the organization, whose aim is to interpret the needs and expectations of the company, accompanying it on a path of constant growth.
From this point of view, we can understand the pivotal role played by HR, also in the effective and efficient implementation of an Information Security Strategy; a role that is mainly grounded on the mission of spreading the concept of awareness within the “human fabric” of the company.
Security awareness is not a synonym for “employee training”. These concepts, although similar, do not necessarily go hand-in-hand. In other words, the implementation of a successful awareness strategy includes but is not limited to training activities within the company; it’s a long and complex process that support the creation of a “collective intelligence” which consequently raises the level of data security within the company.
One area where awareness strategies don’t necessarily require employee training but require other means is the motivation of employees. Issues related to IT security are often considered as too challenging and even as an obstacle to business productivity, leading to a lack of motivation on the side of employees who need to solve these issues. As part of an awareness strategy, several different methods can be used to ensure greater involvement of employees such as using techniques of gamification, the use of multimedia material, as well as the planning of meetings, seminars, study days, exhibitions, initiatives for the involvement of external parties, etc.
Ultimately, however, the key role played by employee training should not be underestimated. There is no doubt that one of the main reasons for the success of social engineering attacks is the lack of staff training on such cyber security threats. Therefore, a continuous and adequate training program is necessary in order to provide employees with a greater awareness of the potential risks, as well as provide them with appropriate knowledge and tools not only to prevent attacks, but also to promptly react to one.
Overall, companies need to be aware of the effects that social engineering attacks are having. In particular, since these types of attacks circumvent the protections put in place by information security systems, it becomes detrimental for awareness strategies and employee training to be put on top of a company’s priority list so as to effectively minimize the risk of social engineering attacks from materializing into an actual data breach. Particular emphasis must be put on the role of HR in managing the risk, together with other departments, that such cyberthreats can pose to the business activities of a company.
 Verizon, Data Breach Investigations Report (DBIR), 2019
 Politecnico di Milano, Osservatorio Information Security & Privacy, 2018 Edition.