If you don’t know about Social Engineering’s role in hacking your systems, then you need to.
In this blog we’ll take look at a critical element in your cybersecurity programme – your staff. We’ll assume that you have a viable cybersecurity and threat detection system in place (although 43% of businesses currently don’t) and that you have an up-to-date-IT department running it.
The next basic requirement for safety is a cybersecurity policy for the workplace. Sound like common sense doesn’t it? So you might be forgiven for being surprised to hear that according to the CBI, half of UK businesses don’t have one. And even if you do, how do you ensure that it works?
And that’s where Social Engineering comes in as a huge threat. Cybercriminals have come a long way from that nice Nigerian man who needs to get millions out of the country and just needs your bank account details to do so. Laughable now, yes – but at the time it fooled hundreds of people. Social engineering is the term used to describe the approach criminals are taking now. Using psychological manipulation techniques that exploit weaknesses in the human psyche, criminals now use far more sophisticated to get information – the difference here being that social engineering is just a step in more complex fraud schemes and attacks.
The list of attacks is surprising in content and growing rapidly. It depends on doing more research into the target and going after fewer individuals than the broadcast threats, and exploiting two of our core characteristics – curiosity and trust. Attacks are now turning from code to people.
Two examples from the Verizon Breach Report 2016. A Hollywood executive received a gift from a company he did business with, which included a branded USB stick with a film trailer on it. Playing the trailer installed malware that enabled the attacker to steal an unreleased film from his system. A 2016 University experiment dropped 300 tagged USB sticks in various locations to see what happened to them. 47% were plugged into a computer. The first one took only 6 minutes to register…
That’s personal, right? Wrong. People tend to have one password that they use all the time. So if they use it on your system, you are at risk. The new range of phishing emails can use spoof addresses, people and companies – and are created form stolen data. Your staff get these emails at work too. Even business networking ones. Dropbox has had spoof email phishing scam that asks you to log in with a variety of accounts, as has most banks you can mention, and even LinkedIn has not been immune. We’ve even heard of staff getting phone calls from “Tech Support” and getting them to allow entry to the network.This highlights the need for workforce security awareness training that is effective in implementing the human firewall. It is impossible for a business to get this perfect, but you can improve employee effectiveness in combating social engineering hacking techniques. The security awareness training needs to educate the workforce so that they understand not only what they should and should not be doing but also why. They need to understand the significance of security risks.
A once a year data update email is not enough. Neither is making security look like an onerous chore and something that gets in the way of work.
So what can you do?
In our next blog, we’ll look at what measures you can take to help your staff become your human firewall – and be an essential part of your cybersecurity policy. Which, of course, is built around your network security policies and a firewall.