Choose your topics

What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Cyber Security

Do You Trust Me? How Trust Is Central To Social Engineering Attacks – And Defense

Do You Trust Me? How Trust Is Central To Social Engineering Attacks – And Defense
Written by


Published on

5 Jul 2019

Do You Trust Me? How Trust Is Central To Social Engineering Attacks – And Defense


Social engineering is a malicious data theft technique built on one thing – trust.

First, the perpetrator works to gain the trust of the target – and this could be through myriad techniques – both digital and face-to-face. Social engineers gain people’s trust, tricking their way into buildings so that they can walk out with physical documents, flash drives, servers or even laptops in hand. Alternatively, they may develop that trust entirely digitally, purporting to be from a known or reputable organization, or getting in touch with a credible query.

Once that trust is built, social engineers are in a powerful and sinister position. They will hone in on a target, devise the communication they will naturally respond to using all the right language, and get what they want without the target even noticing they’ve given it away.

As such, defense against social engineering techniques needs to be built around stringent frameworks for gaining and maintain trust in your colleagues, customers, and all third parties you work with. But how can you achieve this?

Training combined with technology

First, staff need to receive ongoing, dynamic training which actively responds to the evolving threat landscape, so they are empowered to recognize typical signs of social engineering and to ‘distrust by default.’ In person, this means training security personnel to recognize signs such as identity or access cards that have been forged or tampered with.

Digitally, it means training all personnel – particularly senior management, who are likely to be the targets of so-called ‘whaling attacks,’ to recognize signs such as suspicious email requests. For example, Barracuda analysis has identified the most common subject lines used in targeted phishing emails by cybercriminals, including ‘Request,’ ‘Follow up’ and ‘Urgent/important.’

Of course, simply screening out all such emails is a blunt technique which will result in important and legitimate content being missed. Staff awareness needs to be combined with more specific actions. We recommend, for example, tagging emails which arrive from outside your organization, so that warning flags can be automatically raised when social engineers are pretending to be from inside. Likewise, staff should be encouraged never to click on links in emails and instead visit sites directly.

Training also needs to be combined with technical protections such as vulnerability scanning and sandboxing. This can be challenging, and if you have multiple security technologies in play, you will need a single vulnerability management platform or tool to consolidate the results from all these and offer you a single pane of glass view into the incoming content arriving at your organization.

Third-party risk management solutions can also play a key role in screening incoming content, by automating the risk analysis of your major vendors, partners and suppliers, and ensuring that content arriving from those sources is automatically trusted.

Testing and verification

Getting all of those protections in place is just one part of the puzzle, however. Next, you need to test how robust those protections are by undertaking ethical social engineering as a simulation technique. This is the only way to verify how effective both your training and your technologies have been. If a social engineer on your own side can trick a staff member into keeping a door open for them, clicking on a compromised link or opening an infected attachment, then so too could a malicious party.

You also need to consider the trust that your own partners and customers place in you, and the risk of malicious actors purporting to be from your own organization. Combat this by being clear and upfront about your risk management and compliance processes – you must demonstrate clearly and actively how seriously you take cybersecurity and risk management. Trust is a two-way street.

An integrated approach

Above all, an integrated approach to risk management – considering both the trust you place in incoming content, and the trust your partners place in the content you send out – is essential.

This, and other aspects of how to guard your organization against the threat of phishing, are discussed in our recent webinar hosted by Cybersecurity Operations Director, Luke Potter. Click here to watch now.