Social engineering assessments often encapsulate testing the physical and human elements of the cyber security within an organisation. The security of an organisation can be put to the test by seeing if and how a criminal could ‘break in’ to their networks, be that through social engineering techniques against staff, or by bypassing physical security controls.
These assessments are sometimes carried out as part of larger Red Team Assessments, which look to assess security through ethical hacking using penetration testing, social engineering and physical attacks. Legally hacking into a company’s networks will show where vulnerabilities lie. In the social engineering side of things, this may take the form of employees falling victim to phishing emails. Physically, this could take the shape of circumventing security guards and receptionists to gain access to networks. The assessment will then provide details of how to mitigate against the vulnerabilities that were detected.
Though extremely useful in discovering gaps in security, sometimes these assessments can be confusing or overwhelming. Most ethical hacking will be successful, gaining access to networks and information through various methods, as it is impossible for an organisation to ever be 100% secure. The ability of an ethical hacker to get into a system is likely, but gives the impression that security is failing. This can then lead to an uncertainty as to what security measures should be adapted as a priority. For this reason, assessments of this kind are often seen as best suited for companies and organisations that have already implemented a high level of security, and are looking to test particular aspects of their security procedures, or use it as an awareness-raising activity. So, while social engineering assessments, as well as general Red Team Assessments, highlight vulnerabilities and can help to devise plans to improve cyber security, their success at ‘breaking in’ may be counterproductive in some cases.