When Microsoft security experts offer advice, organizations should listen, particularly with regards to social engineering attacks. Microsoft has provided insight into social engineering attack prevention and mitigation.
Social engineering attacks are becoming increasingly sophisticated, and as a result, far more difficult to control since the attackers generally prey on the human element rather than technology.
According to Microsoft’s Security Intelligence Report, social engineering attacks can only be managed through a holistic approach that optimizes software, people, and the organization itself.
For example, organizations should be strategic in terms of allocating powerful user accounts (eg “the attack surface.”) These accounts allow access to highly-sensitive information and as such, are considered high-risk. These accounts must be limited in their quantity, and secured through a proportionately high degree of controls.
Similarly, IT should examine other “soft spots” across the environment, be it technology, process, or policy. Organizations should also create a social engineering incident response team to quickly mitigate damage should a breach take place.
Lastly, companies should train and test their employees for social engineering attacks. Phishing simulation attacks are a cost-effective method for such testing.
Running simulated phishing tests will determine your employees' susceptibility to social engineering and phishing scams. Train your employees and help them identify spear phishing and ransomware attacks.