Nonprofit Resources


The Human Element of Cybersecurity and Social Engineering

In any organization, one human error can be all it takes for an attempted cyber breach to turn into a successful one. Unfortunately, this risk is often overlooked in favor of more tangible cybersecurity efforts.

There have been huge strides in the advancement of real-time threat prevention, detection, and response through the enhancement of various monitoring and blocking tools. But until we recognize the importance of the human element in cybersecurity, we are doing ourselves and those we serve a huge disservice.

Here are five key steps any organization can implement to strengthen the defenses provided by employees.

1. Understand what social engineering is today.

As we become a more connected world, social engineering no longer looks like it did 10 years ago. With more ways to connect comes more opportunities for breaches. From phone calls to text messages, emails to instant messaging, shoulder surfing to dumpster diving, there are many ways cybercriminals can obtain information while concealing their true identity and motives.

The first step in addressing social engineering is acknowledging that it can look like almost anything, including:

  • A friendly email from a prospective donor
  • An in-person visit from an alleged contractor
  • A phone call asking about basic account information
  • An email from HR requesting an update to direct deposit information
  • An email from an executive seeking W-2 information or a wire transfer
  • A vendor requesting an update to their bank account information

It’s important for all employees to understand that these threats can come from anywhere, and that they should always be alert to the possibility that they are being misled.

2. Develop effective policies and procedures.

Create and implement policies and procedures that specify how varying levels of employees should address potential or confirmed social engineering activities. These should document and dictate the duties and responsibilities of all staff when verifying the identity of someone requesting information, and the necessity of disclosing that information.

Your procedures should be clear so that staff know how to report concerns and how to deescalate continuous situations. Your policies should include potential consequences for failing to follow documented procedures, up to and including termination or legal ramifications, or both.

Have all employees acknowledge these policies upon hire and at least annually thereafter. It’s also a good idea to review and revise these policies on an ongoing basis to ensure your procedures remain consistent with the current threat environment.

3. Train management and staff.

The best line of cyber defense in any organization is the people within it. That means you should be allocating appropriate resources to keep this control as strong as possible.

Make cybersecurity training mandatory before granting new hires access to any systems or sensitive areas. You also should provide ongoing training to ensure employees remember their responsibilities in keeping your organization secure and aware of current risks.

No one should be exempt from training, including senior leadership and board members. These employees often have elevated levels of access and the ability to perform the functions most desirable to fraudsters.

4. Test the effectiveness of your training.

Most organizations are used to auditing various controls, but many aren’t auditing the human element. Periodic social engineering tests can indicate how successful your training efforts are and can help identify the weakest points. This could be a phishing test like the one in our Cyber Checkup or phone call attempts. It can even involve in-person testing, where a stranger perpetrates the need to access sensitive areas or information.

The results of this testing could indicate that more regular training is required or that your current method of training may not be as effective as anticipated.

5. Educate your donors and constituents.

The general population does not receive regular cybersecurity training. That means some of your donors and constituents may view extra steps to protect them and their data as an inconvenience that they are not willing to accept. Educating them on why these extra steps are in place and the necessity of verifying their identity can help ease concerns and prevent data breaches. It will also help your organization develop an overall commitment to security from all channels.

As technological advancements continue at a rapid pace, the human element is getting less and less attention. These critical steps can help you continually strengthen your most important line of defense.


Authors: Allison Davis Ward, Partner and Elyse Gunn, Senior, CapinTech


Leave a Comment