Home |
Resources |

Humans Still Click: Why Social Engineering Training is More Vital

  • Article
  • 6 min read

share:

As cybersecurity pros, we often get laser-focused on the technical defenses. We build firewalls, implement encryption, deploy intrusion detection systems – all absolutely essential for protecting your digital assets. But sometimes, we might overlook a really crucial truth: the human element is still the primary target for cyber threats. Social Engineering Training is therefore a vital defense layer to address this ongoing vulnerability.

Recent data confirms this reality loud and clear. The Verizon Data Breach Investigations Report (DBIR) and the ENISA Threat Landscape (ETL) report for 2024 both show it. Despite all the advanced security tech out there, people still click malicious links. They still fall for convincing scams. They still make mistakes that, unfortunately, lead to breaches. In fact, the Verizon DBIR tells us that around 68% of all breaches involved the human element (Verizon DBIR). That’s a massive number, and it affects organizations in every sector you can think of – finance, healthcare, critical infrastructure, government. It hits everywhere. So, understanding why this keeps happening and making social engineering training a top priority is more critical now than ever before.

So What Exactly Is Social Engineering?

Think of social engineering as bypassing the technical locks by simply tricking someone into opening the door. It exploits human psychology, not software flaws. It’s about manipulating people into revealing sensitive information or performing actions that ultimately compromise security (ENISA ETL). Basically, it’s conning someone into doing something they really, really shouldn’t. While technology delivers the attack message, the fundamental vulnerability is human behavior. Social Engineering Training is designed to counter this. ENISA defines it as activities that exploit human error or behavior to gain access (ENISA ETL).

Common Ways Attackers Try to Fool People

Attackers have a whole toolbox of tricks, and they’re constantly refining them:

  • Phishing: This is the most common tactic. Attackers use deceptive emails, messages, or fake websites to trick recipients into giving up sensitive data, like passwords or credit card numbers. It primarily targets employees.

  • Spear-Phishing: A much more targeted and personal form of phishing. Attackers research and customize messages using specific information about the victim or organization, making the lures far more convincing.

  • BEC (Business Email Compromise): These sophisticated scams often leverage existing email chains to appear legitimate and target employees authorized to approve payments. Attackers frequently demand urgent wire transfers.

  • Smishing (SMS Phishing): Attacks delivered via text message (SMS). Attackers impersonate trusted companies or entities to persuade victims to click malicious links or call a fake number, often bypassing traditional email defenses.

  • Vishing (Voice Phishing): Involves deceptive phone calls where attackers impersonate trusted organizations to obtain sensitive information. Attackers might pose as fraud agents claiming unusual account activity to guide victims through fake security processes leading to account takeover.

  • Baiting: This tactic lures victims with false promises, such as free downloads or gifts. Attackers often distribute compromised software via malicious links or ads. Users are tricked into downloading malware instead of the promised content.

  • SEO Poisoning or Malicious Ads: Attackers manipulate search engine results or use ad platforms to direct users to sites hosting compromised software or malware. This method uses seemingly trusted channels and can link to supply chain risks, making it difficult for users to spot the danger.

Why Are We Still Vulnerable?

Despite all the security awareness efforts including Awareness and Training, the sheer volume and sophistication of these attacks can really overwhelm people. Attackers invest time building rapport (Verizon DBIR), making the lures harder to spot. Messages can look like they’re from trusted contacts – peers, partners, or vendors.

New tactics leverage emerging tech. MFA spam or Prompt flooding, where users get repeated MFA push notifications, is a rising concern. Attackers hope you’ll just accept to stop the annoyance . It’s been successful in over 20% of social attacks last year. And AI is helping craft fake emails and generating convincing deepfake audio or video , making deception much harder to see through. Plus, user errors, like uploading confidential documents to GenAI platforms , create risks. The rise of BYOD (Bring Your Own Device) also plays a part; Verizon found a significant percentage of compromised non-managed devices had corporate logins (Verizon DBIR), suggesting personal devices carrying corporate data are a risk. Stolen credentials from infostealers are key parts of attack chains . Verizon data links infostealer logs with ransomware victims, pointing to stolen credentials as a frequent starting point. So, the combination of human factors and evolving tactics makes this a constant challenge.

Social Engineering Isn’t Just One Threat; It’s the Doorway to Others

Social engineering isn’t isolated. It often acts as the entry point for more serious attacks. It frequently overlaps with System Intrusion and Basic Web Application Attacks (BWAA) . For instance, phishing or pretexting often leads directly to credential theft (Verizon DBIR). These stolen credentials are then used in 88% of BWAA breaches (Verizon DBIR). Ransomware attacks commonly start with social engineering tactics used to gain initial access or deliver malware . The Verizon DBIR supports the idea that leveraging stolen credentials from infostealers (often acquired via social engineering/malware) is a primary tactic for some ransomware groups (Verizon DBIR) Even simple Miscellaneous Errors, like misdelivery, can expose sensitive data if attackers get credentials through social engineering . So, getting a handle on social engineering has a broad positive impact across the entire threat landscape.

How Effective Training Builds Your Defenses

Since your people are a prime target, empowering them is absolutely key. Robust security awareness training is an essential defense (Verizon DBIR, ENISA ETL). Training helps users spot phishing emails, recognize pretexting lures, and identify other social engineering tactics. Phishing simulation campaigns are a vital tool for testing your team and helping them learn.

Verizon DBIR data shows a significant result: users with recent Social Engineering Training report phishing emails at a much higher rate (21% vs. a 5% base rate). This increased reporting is crucial because it helps your security teams identify and respond to active campaigns faster. While training’s impact on users actually clicking links is a bit less dramatic (a small 5% relative impact), continuous training does lead to consistently increased reporting. This tells us the value of training goes beyond preventing clicks – it builds a reporting culture. CIS Controls for Social Engineering also emphasize user awareness.

Actionable Steps You Can Take Right Now

Based on recent insights, here are practical steps you can implement to strengthen your human defenses and reduce social engineering risks:

  • Comprehensive, Tailored Training: Go beyond simple phishing tests. Train employees to recognize various tactics like pretexting, Prompt bombing, and AI scams. Customize content for different roles and departments. Implement structured security awareness programs.

  • Reinforce MFA and Educate Users: MFA is vital but can be bypassed by SE. Ensure users understand why MFA requests appear and warn them against approving unexpected prompts. Encourage stronger MFA methods like TOTP apps. Emphasize MFA, especially for remote access.

  • Scrutinize Logins and Monitor Activity: Implement controls to carefully check logins, particularly those using session keys or cookies potentially stolen via AiTM attacks. Actively monitor asset and user activity logs for unusual signs of a compromised account.

  • Easy and Integrated Reporting: Make it simple for employees to report suspicious emails or activity. Integrate their reports into your security workflow to quickly spot and contain threats. Have defined processes and personnel for incident handling and BEC response.

  • Address Third-Party Risk: Social engineering targeting your vendors and partners creates risk for you downstream. Ensure third parties have strong security practices, including training and MFA. Plan for incidents that might involve your partners.

It’s More Than Just Training: Build a Strong Security Culture

While specific, effective training is the foundation, building real resilience requires more. It demands a shift in your organization’s culture. Both the Verizon and ENISA reports highlight how important collaboration is, both within your organization and with others in the industry.

  • Be Transparent and Share Information: Organizations should be open about the threats they face and share information. This is critical for building effective threat modeling and helps the whole industry understand the landscape better. Reporting incidents, even if there wasn’t confirmed data loss, provides valuable insights. Verizon emphasizes the value of data contributors sharing information. ENISA points out that threat landscape assessments rely on diverse open-source data and contributor insights. Fostering exchanges between cybersecurity pros and other communities, like counter-FIMI (Foreign Information Manipulation and Interference), is essential. Using standards like STIX can help structure this sharing.

  • Empower Employees as Defenders: Encourage your employees to report things. See them as active participants in your defense. Their reports, even from a simulation, help detect threats early, leading to faster remediation. This is particularly important in sectors like Public Sector, who face persistent threats because of their public nature. A culture where employees feel okay questioning suspicious requests is vital and can help prevent BEC scams.

  • Focus on Vendor Security Outcomes in Procurement: Don’t just check if a vendor has a security policy checkbox. Evaluate their actual security outcomes. Ask them about how they manage patches, how they handle vulnerabilities, and what their disclosure programs look like. Make positive security outcomes a real factor when you’re deciding who to work with. This helps you proactively manage supply chain risk.

Wrapping It Up

Look, the human element is going to remain a persistent challenge. Attackers are always going to try and exploit it, using increasingly sophisticated social engineering tactics. These tactics are often the initial step that leads to way more damaging breaches – ransomware, data theft, disruption.

While technical controls like MFA are absolutely critical, they aren’t foolproof. That’s why empowering your employees through robust, continuous social engineering training is non-negotiable. This training needs to go hand-in-hand with building a truly resilient security culture. That means fostering collaboration internally and externally, being transparent about threats, and empowering your employees to be active participants in your defense. By understanding the nuances of these attacks and investing in both your people and your processes, your organization can significantly reduce its risk and protect its assets and the communities it serves.

Ready to strengthen your defenses?

 Building a strong security posture starts with your people. Equip your team with the knowledge to combat social engineering threats. Explore resources and training programs that empower your employees and enhance your organization’s overall resilience.

Author

Related resources

  • Article

CISA RSAA Attestation: A Clear and Practical Path to Compliance

  • Article

OT Security: So, Are Your Exposed Devices Safe?

  • Article

NIST CSF 2.0: Driving ICS/OT Cybersecurity Maturity

Software for cybersecurity regulations, standards & frameworks

Regulations & standards

Frameworks & guidelines

Controls categories

Discover our Services

Compliance-Labs_compliance-services-illustration

Compliance Services

Compliance-Labs_compliance-strategy-and-risk_picto-post

Strategy and Risk

Compliance-Labs_compliance-cybersecurity-for-OT-illustration

Cybersecurity for OT

Select the fields to be shown. Others will be hidden. Drag and drop to rearrange the order.
  • Software logo
  • Vendor
  • What is this Software?
  • Website
  • Cybersecurity Regulations, Standards and Guidelines Tested
  • Other Cybersecurity Regulations, Standards and Guidelines Supported
  • Deployment
  • Environment
  • Region
  • Industry
  • Capabilities
  • Application and DevOps Security
  • Asset Inventory and Management
  • Audit and Compliance Management
  • Awareness and Training
  • Backup and Recovery
  • Data Security
  • Endpoint and Device Protection
  • Identity Management and Access Control
  • Incident Response
  • Logging and Threat Detection
  • Network security
  • Posture and Vulnerability Management
  • Risk Assessment and Management
  • Software Bill Of Materials (SBOM)
  • Zero Trust Network Access
  • DORA Requirements Supported by the Software
  • HIPAA Requirements Supported by the Software
  • MITRE Mitigations Enterprise Supported by the Software
  • ISO/IEC 27001 Requirements Supported by the Software
  • NERC CIP Requirements Supported by the Software
  • NIST CSF Controls Supported by the Software
  • NIST SP6800-53 (LOW) Controls Supported by the Software
  • NIST SSDF Controls Supported by the Software
  • PCI DSS Requirements Supported by the Software
  • Scope Impact
  • Periodic compliance activities supported by the Software
  • The Software store, process, or transmit
  • The Software requires to be integrated with other systems impacting the cybersecurity or compliance of the customer
  • Software modules implemented
  • Software vendor Third-Party Service Providers (TPSPs) used
  • Software NERC CIP scoping
  • Software NIST SSDF scoping
  • Software PCI DSS scoping
Compare
Compare ×
View comparison Continue browsing software