The Human Factor: Preventing Third-Party Social Engineering and Phishing Attacks

The opening scene of the 1990’s film Home Alone illustrates an example of an exploitative activity known as social engineering. Harry the burglar impersonates a cop and learns from Mr. McCallister himself exactly how his home is protected from intrusions – a simple system of automatic timers for their lights and locks for their doors. This knowledge gives Harry the confidence he needs to proceed with the burglary later in the film.

These types of attacks aren’t just for the movies. Cybercriminals today often use social engineering techniques to gain access to organizations and their sensitive data, even using organizations’ third-party vendors as an entry point.  

Human Factor Phishing: Social Engineering in Third-Party Risk Management

Social engineering is a type of manipulation that occurs when the attacker tricks the victim into disclosing sensitive information. Many organizations are already aware of these third-party cybersecurity threats that can impact their operations. 

Vulnerability and penetration testing can identify weaknesses that can be exploited by attackers, but social engineering methods, like a phishing attack, can be more challenging to prevent because they’re targeted towards employees who are essential for daily operations. In fact, the research company Forrester predicted that 90% of data breaches will include the human element in 2024. 

Understanding the human factor in cybersecurity can help protect your organization from these common types of threats. It’s also essential to evaluate these threats in your third-party risk management (TPRM) program and ensure your vendors have addressed them in their security policies. 

The Risks of Third-Party Social Engineering and Phishing Attacks

Social engineering attacks can be carried out in many forms, such as a phishing email or text with a fraudulent link, or even a phone call asking to verify your identity. These attacks can create the following risks for your organization, even when they’re targeted towards your third-party vendors:

• Data breaches – Fraudulent links can direct users to sites that look legitimate. The user might submit credentials or other sensitive information, which the attacker can collect and use to access your system. Cybercriminals may even target your vendors in social engineering attacks directed toward your organization. Your organization’s sensitive data can then be stolen, copied, or encrypted in a ransomware attack.
• Operational disruptions – These are often a natural extension of security incidents like data breaches and ransomware attacks. A successful social engineering attack that impacts your systems or data can create significant operational disruptions and delays. Also consider the time and resources needed to re-evaluate your system after an incident or resolve issues with customers. 
• Reputational damage – A third-party social engineering attack can put your organization in the spotlight and harm your reputation. A damaged reputation can last for years and potentially impact your organization’s bottom line. 

What to Review in Your Vendor’s Security Policies to Mitigate Social Engineering Attacks

One of the most effective ways to mitigate the risk of third-party social engineering attacks is through the due diligence process. Reviewing your vendor’s policies and procedures related to security training and awareness will help identify where your organization might be at risk of the human factor in cybersecurity. 

Here are three areas to review in your vendor’s security training and awareness documentation:

1. Testing and simulations – Verify that your vendor is performing phishing simulations and other social engineering tests on its employees and contractors on a periodic basis. This will help ensure your vendor can recognize different types of threats and understands how to respond to an attempted attack. In general, phishing simulations should be performed about once per month.
2. Privileged users – Your vendor’s policy and procedures should identify its most privileged users, such as IT administrators and senior executives. These users are often the primary targets for social engineering attacks because they have more access to sensitive data. Privileged users should therefore undergo more frequent testing and simulations.
3. Continuous education – Social engineering methods are becoming more sophisticated, especially with the rapid rise of artificial intelligence (AI). Audio and video can easily be manipulated, making it even more difficult to detect fraudulent sources. Vendors should require their employees to engage in continuous education that will keep them aware of the most current social engineering attacks.

The human element in cybersecurity will likely continue to be one of the biggest threats to address in your third-party risk management program. It’s important to stay aware of current social engineering methods and be intentional about assessing your vendors’ knowledge and preparedness for today’s most common cybersecurity attacks.