Social Engineering Penetration Testing
Social engineering is the single biggest security threat facing your business.
A social engineering penetration test will help you evaluate your employees’ susceptibility to social engineering attacks.
You can then develop an appropriate awareness programme to limit your exposure.
What is social engineering?
Attackers masquerade as trusted entities and manipulate victims into compromising their security, transferring money, or providing sensitive information.
Social engineering attacks can occur both online and offline.
One of the most common forms of social engineering is phishing.
Phishing attacks involve emails that appear to be from legitimate senders but contain malicious attachments or links.
They either use drive-by downloads to install malware on victims’ machines or harvest their credentials.
Find out more about phishing >>
Did you know?
The Proofpoint’s 2019 report 'The Human Factor' found that 99% of cyber attacks use social engineering to trick users into installing malware.
Social engineering penetration testing
Educating your employees about how social engineering attacks are carried out, and implementing and maintaining appropriate security controls to mitigate them, is critical.
Social engineering penetration tests provide a basis on which to highlight issues with operating procedures and to develop targeted staff awareness training.
Our social engineering penetration test will help you:
- Establish the publicly available information that an attacker could obtain about your organisation;
- Evaluate how susceptible your employees are to social engineering attacks;
- Determine the effectiveness of your information security policy and your cyber security controls at identifying and preventing social engineering attacks; and
- Develop a targeted awareness training programme.
Is a social engineering penetration test right for you?
If you are responsible for your organisation’s information security, you should ask yourself:
- •What information about your organisation is publicly available that could be used to facilitate social engineering attacks?
- Are staff vulnerable to phishing and other forms of social engineering?
- Could a social engineer gain unauthorised access to offices and site locations by exploiting weak security measures?
- Could an attacker gain access to sensitive information from mislaid documentation?
- What information could be obtained by someone taking hardware off-site?
Our engagement process
Our CREST-accredited penetration testers follow an established methodology to help model your real threats and provide actionable recommendations. This approach will emulate the techniques of an attacker using many of the same readily available tools.
- Scoping: Before testing, our consultancy team will discuss your social engineering assessment requirements to define the scope of the test.
- Reconnaissance: Our social engineering team uses a variety of intelligence-gathering techniques to collect information from public sources about your organisation.
- Assessment: Our social engineering team attempts to gain access to the systems and/or buildings that hold the target information defined by you.
- Reporting: The test results will be fully analysed by an IT Governance certified tester and a full report will be prepared for you that sets out the scope of the test, the methodology used and the risks identified
- Workshop: Our team can also run a workshop that will help your employees identify and respond to the cyber threats conducted during the exercise.
Our penetration tests comply with the Microsoft Rules of Engagement
For Azure clients, this means we take care to limit all penetration tests to your assets, thereby avoiding unintended consequences to your customers or your infrastructure
“IT Governance combines the delivery of real insights with a cost-effective service.”
Ian Kilpatrick, Group Information Security Officer at Collinson Group.