There’s nothing new about social engineering. It’s old-fashioned con artistry with a fancier sounding name. The Trojans had their horse. The schemer on the streets has his game of three-card Monte. And hackers and cybercriminals have their own tactics.

You’ve no doubt heard of (and received) phishing emails, when someone sends a legitimate looking message with an attachment that will infect a network if opened by an unsuspecting employee. Chances are your employees have seen them, too. At least they are familiar with the tactic, even if they don’t know exactly what it’s called.

What about water holing, though? Do your employees know what that is? Do you? That’s the practice of hackers infecting sites that people from their target company may go to and then infecting computers on the target network once users there do visit those sites. It’s a bit of a guessing game, and it can take a bit of time to be effective. But for hackers, it’s worth the effort.

The hacker’s playbook is big, and it’s growing. New threats, whether they are vulnerabilities in software or social engineering techniques, are emerging all the time. That’s why organizations can’t rely on last year’s training to be enough to protect today’s network. Still, that’s what many state and local governments are doing.

We’ve been looking at common security misconceptions over the last few posts, and this is the third one that needs to be addressed.

Misconception No. 3: Last year’s training is enough to keep the network safe.

More and more, hackers are turning away from these brute force attacks and malware as the means of getting into a network. Instead, they are counting on the naiveté, and some would say ignorance, of the typical employee. They are using social engineering schemes to trick these employees into providing them with legitimate ways to enter the network.

It’s OK, though, because the training that was held a year or two ago covered all of those tricks. The network is protected. Well, that’s true if your company never hired another employee after that training. And if hackers weren’t constantly evolving their methods. Oh, and if your employees remember everything they learned two years ago. Unfortunately, that’s probably not the case.

How to combat this misconception: Training needs to be thorough, regular, and ongoing. Unfortunately, for smaller organizations the execution of that training is probably falling to someone in the IT department, and training and educating aren’t really in the skillsets of many in IT.

With that in mind, here are some things to know about effective training.

• • Use Simplified Language

    Speaking on a level that employees can fully comprehend is essential. It will result in fewer of your employees being confused and unsure about what they’re learning.

• • Encourage questions

    The only way to know if what’s being conveyed is being understood is by encouraging questions. Stop and ask specific individuals questions regarding the content in order to reassure that everyone is on the same page.

• • Regular education and testing

    Hackers are continually trying new methods for getting into a network. Keeping employees up to date on these methods is critical. The easiest way to do that is with a regular newsletter that addresses new or recurring threats.

As the saying goes, a chain is only as strong as its weakest link. The only way you’ll know where those weak links are is by randomly testing employees on social engineering tactics.