Discover Performance

HP Software's community for IT leaders // April 2012

The human element: 4 defenses against social engineering

Socially engineered attacks are still one of the most successful means of penetrating organizational security. Learn how to beat the bad guys at their own game.

Broad consumer-targeted "phishing" attacks usually aren't particularly clever—do you really think that guy in Nigeria will share his millions with you?—but similar attacks targeted at businesses can be far more sophisticated. Forcing employees to make quick decisions, such as opening a secured door or sharing sensitive information "or you'll be fired," is a very common tool used against companies; and it is probably the most successful method of corporate attack.

Often, larger companies are particularly vulnerable to scammers. With more employees, scammers have more opportunities to operate without detection and less risk that made-up names and authorizations will be noticed by individual targets.

Security investment and involvement is not the issue. At most companies, firewalls, intrusion prevention devices and virtual private networks are in place and tested thoroughly. But no matter how much you've spent and how thoroughly you've tested, these products won't be able to prevent the help desk person from changing your CEO's password if someone impersonating your CEO yells convincingly enough on the phone.

So what's a CISO to do?

Go back to security basics
Social engineers know that it's easier to access a company's sensitive information by using people rather than technology. Beat them at their own game with four measures to harden your weakest link: people.

1. Control information access — First, revisit those old-faithful practices such as "need to know" and "separation of duties." The less information each employee has to share, the less damage they can do when targeted by a social engineering attack. Access controls in software systems help limit the information that any one person can give to a hacker. As a result, hackers are forced to contact more people in order to get all the data they need to launch their attack, making it more likely that they will be detected before they succeed.

2. Create a security response team — These are your "first responders" for social engineering and any other security incident and should have a documented protocol for dealing with all types of attacks. Make sure everyone in the company understands when and how to contact the team.

3. Encourage employees to be distrustful — Train your employees to respond to suspicious requests for information in a polite and helpful way without providing any information, and then to report the incident to the security response team. "Give me your number and let me call you back with that information" is always a great response to a suspected social engineer.

4. Verify the effectiveness of training — Finally, just because you've done training on social engineering doesn't mean it will work in practice. Train your employees how to handle requests for information and then reinforce these behaviors with continuous testing to make sure the message is getting through.

Overcoming gullibility
Humans are gullible. We like to help other people. We like to be liked. And for thousands of years, our trusting nature has been getting us into trouble. The Greek story of the Trojan Horse tells us that humans have been suckers for social engineering since about 1200 B.C. More likely, social engineering is as old as humankind. But by simply limiting access to information and thoroughly training employees in how to detect and respond to socially engineered attacks, you can protect your business against this dark art.

Read HP’s report on human-centered attacks, “Defend your business against the dark art of social engineering” (.pdf), and learn more about hardening your organization against all manner of attack, at


IT leader assessment

This tool evaluates the correlation between IT attributes and business success and, based on how your answers compare with average scores, will advise you where to invest in IT.

It is based on data HP collected from 650 global companies about a range of IT characteristics (server capacities, approach to information management, security, BYOD, etc.) and how they correlate to revenue gain. This assessment will compare your answers to the average scores in that study.

There are 12 questions that will require an estimated 10 minutes of your time. You'll receive a summary of your rating upon completion.

Let's get started

Please select an answer.


Your answer:
Your score:
Average score:
Revenue leaders' score:


Please select an answer.



Your score:
Average score:
Revenue leaders' score:

Get detailed results:


Popular tags


Discover Performance Weekly

HP Software’s Paul Muller hosts a weekly video digging into the hottest IT issues. Check out the latest episodes.

Enterprise 20/20

Security 20/20

Preparing today for tomorrow’s threats.

Introduction to Enterprise 20/20

What will a successful enterprise look like in the future?

CIO 20/20

Challenges and opportunities for the CIO of the future.

Dev Center 20/20

How will we organize development centers for the apps that will power our enterprises?

Marketing 20/20

Welcome to a new reality of split-second decisions and marketing by the numbers.

IT Operations 20/20

How can you achieve the data center of the future?

Employee 20/20

What the workforce of 2020 can expect from IT, and what IT can expect from the workforce.

Mobility 20/20

Looking toward the era when everyone — and everything — is connected.

Data Center 20/20

The innovation and revenue engine of the enterprise.

Read more

HP Software related

Most read articles

Discover Performance


Tweets @ HPSecurity