Those in the tech industry seem to have a fascination with creating new vernacular or repurposing old lingo for innovative concepts. Social engineering is one of the latest IT buzz terms to undergo the renaming process. Merriam-Webster defines this method as the “management of human beings in accordance with their place and function in society.”

Of course, the social engineering term used by cybersecurity professionals has a significantly different meaning. TechTarget describes it as an “attack vector that relies heavily on human interaction and often involves manipulating people into breaking normal security procedures and best practices in order to gain access to systems, networks or physical locations, or for financial gain.”

In other words, cybercriminals couldn't care less about your place and function in society; their sole goal is to trick others into sharing passwords, private information, and other details that help them gain access to computer systems and networks. Data access, not people, is the top priority.

To Help, You Must Understand the Game

Social engineering is the approach cybercriminals use to gain valuable information. As overheard at the latest IoTSSA Cybersecurity roadshow, it is essentially the script or playbook criminals use to trick unsuspecting people into handing over their network credentials and other access information. MSPs who want to protect their clients must keep themselves informed on the latest social engineering schemes and be able to teach end users what to do or what to say when asked to provide certain information over the phone.

Manipulation is their primary tool. It’s difficult to think of social engineering as a cyber attack, yet the goals of those communicating over the phone or through email are virtually the same as those attempting to hack into a client’s network. They are simply running a con instead of deploying a virus ‒ gaining the confidence of unsuspecting employees by lying or leveraging known information gleaned from social media, websites, news stories, and other locations.

Emotion is the heart of social engineering. Cybercriminals typically use urgency or fear to get their victims to take action; revealing sensitive information, clicking links to malicious websites, or opening infected files. Many of these “actors” could win Academy Awards for their portrayal of helpless co-workers or business associates, or officials from government or law enforcement agencies.

The Channel Solution

As everyone should know by now, people will always be the weak link in cybersecurity. That’s why social engineering is so successful. Preventing these types of attacks can be extremely difficult for the average business owner, and many don’t seek outside support until it’s too late.

That’s usually the time MSPs get brought into the discussion.

Of course, the first step for providers is to stand back and assess their ability to address and minimize these types of threats for other businesses. MSPs must have a solid understanding of the schemes and goals employed by these cybercriminals to formulate their own plans of attack.

The problem with social engineering is that some of these cybercriminals are so good that they’ve been able to manipulate their way into providers’ networks. It’s scary to think of the damage a hacker could inflict on an MSP and its clients with a password to their RMM or PSA tools.

That’s why providers must implement cybersecurity programs from the inside out. The second step in countering social engineering attacks involves putting all the MSP’s employees through end-user training, as well as requiring everyone to adhere strictly to the company’s protection policies.

Setting high internal security standards should be job one for any channel company. Some providers implement zero-tolerance rules with management approval required for any exceptions ‒ which should be rare.

The final step takes place only after an MSP’s internal processes have been locked down. When all their employees have a firm grasp on how to counter social engineering techniques, and cybersecurity tools and policies have been put in place to protect the business, it will be much easier to sell and deliver these services to others.

Confidence and demonstrated expertise are crucial when building new business practices. Just ask the cybercriminals who capably employ social engineering schemes to snag their victims. With a thorough understanding of the latest “underworld” techniques, as well as the “tried and true” deception methods, MSPs can better prepare themselves and their clients for the next wave of attacks.

Brian Sherman
Content Director of IoTSSA & GetChanneled