Six ways to engage your employees in social engineering defense

Stefan DeCosse

Stefan DeCosse

Vice President Information Security

Stefan joined Payworks in 2015 as a key member of the security team and has been instrumental in evolving our security practice, including the establishment of our Security Operations Centre from the ground up.
Vice-président, Sécurité de l’information

Stefan a joint les rangs de Payworks en 2015 à titre de membre important de l’équipe responsable de la sécurité et joue un rôle clé dans l’élaboration des pratiques de sécurité, dont la création d’un centre d’opérations de la sécurité à partir de zéro.

Social engineering is an increasingly common tactic used by “bad guys” online to gain access to personal information or an organization’s information systems. Social engineering is a form of fraud, which aims to exploit our natural desire to please others or our fear of consequences in order to inspire quick action (too quick).

For example, you might receive an email that appears to have come from your company’s CEO asking for your immediate help with something urgent, but with a malicious link inside. Alternatively, your employees might receive an ominous voice mail about their credit score or income taxes that threatens legal action or account suspension unless they submit personal information to verify their identity. These are social engineering attacks, designed to make the receiver of the message act quickly and without due diligence to confirm or discredit the requests.

The best way to protect yourself and your team against social engineering is to create awareness around the office about what it looks like and steps to take in evaluating whether or not a message is legitimate. Here are six ways to engage your employees in social engineering defense:

1. Make the information relatable

Social engineering attacks, like phishing scams, can occur outside of work too. Understanding that these risks apply at work and at home is important. Show employees real life examples of social engineering to help them spot it in the future.

2. Keep advice on best practices easily accessible

Provide cheat sheets for identifying social engineering red flags. Keep these tips top of mind by including them on posters in break spaces and lunchrooms, or readily available where company documents can be accessed by employees such as within ESS or a company intranet.

3. Give employees a sense of ownership

Emphasize the fact that your employees need to act as the first line of defense by being alert to cyber-crime like social engineering. Everyone needs to do their part to ensure the safety of the company and its sensitive information.

4. Frequently evaluate your employees’ knowledge

Not only does this reinforce the importance of protecting personal and company information; it also provides insight on how to improve your own security awareness program – what topics seem to be the most confusing? How could you present the information more clearly?

5. Provide a secure place for employees to communicate their questions and concerns

Reinforce that it’s OK if they feel like they don’t fully understand the risks or warning signs of social engineering yet – it just means there’s an opportunity to improve. Also, provide a simple way for them to report a suspected social engineering attempt.

6. Reward them for their vigilance

Positively reinforce your staff for reporting a security threat or demonstrating superior security awareness skills. It doesn’t have to be an extravagant, but taking the time to recognize your employees’ efforts to keep personal and company data secure will reinforce the importance of remaining diligent.

To help keep you and your crew informed and empowered in the fast-changing information security landscape, we’ve tapped our in-house experts for the most effective best practices you can leverage right now. Download a free copy of our Security Best Practices E-Book:

Seeing is believing!

Curious what better Canadian workforce management looks like in action (and how much time you could reclaim in your day-to-day)? Book a pressure-free, get-to-know you demo today.