Risk & Business Magazine Spectrum Insurance Fall 2019 | Page 27
SOCIAL ENGINEERING
occurs, a company must have a
written, comprehensive protocol
for managing such incidents. To
manage the incident, the Help
Desk must be trained to track
(among other things) the target,
their department, and the nature
of the scheme. Such protocols
will enable a company to actively
manage the risk of the breach to
mitigate potential losses.
GUARDING AGAINST SOCIAL
ENGINEERING
Social engineering is one of the most
difficult crimes to prevent, as it cannot
be defended against through hardware
or software. In order to build defenses
against social engineering attacks,
organizations need to design and
implement comprehensive security
practices:
• Risk Assessment: A risk assessment
helps management understand risk
factors that may adversely affect the
company and track existing (and
upcoming) threats. Determining
security risks helps enterprises to
build defenses against them.
• Policies and Procedures: Policies and
procedures must be clear and concise.
They should be aimed toward
mitigating social engineering attacks.
Well-defined policies and procedures
provide guidelines for employees on
how to go about protecting company
resources from a potential cyber
attack. Strong policies should address
proper password management, access
control, and handling of sensitive
user information.
•
Security Incident Management:
When a social engineering event
•
Training Programs: Companies
should invest in security
training programs and update
their employees on security
threats. Because companies are
composed of various departments,
training and awareness must
be customized to the needs and
requirements of each department.
Such practices help employees
recognize and handle security
attacks effectively.
Despite the best vendor background
screenings, fraud detection systems,
segregation of duties, and education,
companies still face an uncertain
risk of loss from social engineering
schemes. As a result, strong
consideration should be given to
purchasing coverage tailored to social
engineering risks. +
27