It’s said that amateurs hack computers and professionals hack humans.
With all the recent discussion about ransomware, malware delivered by malicious websites, and other technology-enabled attacks on businesses, it’s easy to be lulled into a false sense of security by thinking that technology created security problems and technology (e.g. antivirus software, firewalls, etc.) can, should, and will solve these security problems for your business.
Social engineering attacks outnumbered attacks on software vulnerabilities and exploits for the first time in 2015. Since January 2015, the FBI has seen a 270 percent increase in identified victims and exposed loss amounting to more than $2.3 billion. Hackers are attacking the weakest link in any business’ security perimeter – the employees – to steal from your business!
Social engineering is using manipulation, influence and deception to get your employee to comply with a request, and the request is usually to release information or to perform some sort of action item that benefits that attacker. It could be something as simple as talking over the telephone to something as complex as getting your employee to visit a website, which exploits a technical flaw and allows the hacker to take over the computer. Your employees could be tricked into anything from allowing someone access to your office to giving up their passwords or user IDs over the phone. Social engineers go to great lengths to gain access to data they can exploit, such as personal information (passwords, account numbers, etc.), company information (phone lists, identity badges, etc.), and network information (servers, networks, etc.).
Some examples of social engineering attacks are the following.
•Spear Phishing – Instead of casting out thousands of emails randomly hoping a few victims will bite, spear phishers target select groups of people with something in common—they work at the same company, bank at the same financial institution, attend the same college, order merchandise from the same website, etc. The emails are ostensibly sent from organizations or individuals the potential victims would normally get emails from (CEO, CFO, company website, vendors and supplies, etc.), making them even more deceptive. These emails often convey a high sense of urgency, making employees act quickly without thinking the situation through.
•Dumpster Diving – This is exactly what it sounds like: digging through trash looking for valuable information such as junk mail (especially credit card offers), company phone lists, company org charts (names, titles, etc.), corporate letterhead to create official-looking correspondence, and even computers and other electronic equipment that might contain valuable data.
•Six Degrees of Separation – Here the hacker identifies a “whale,” or a high-level employee. Using social media and watching their in-person patterns, the hacker reaches out to the target’s friends, family, or employees with the full intention of earning the trust of the target eventually. The criminal may begin by gathering personal nuggets about team members, as well as other “social cues” to build trust or even successfully masquerade as an employee.
Social engineering is an undeniable reality with the potential to have a very real-world impact on your business. What are some ways that your business can protect your employees and keep valuable data out of the hands of criminals who could damage your business?
1.Password Management – Outline strict standards for secure passwords (length and complexity) and insist on regular password expiration and change.
2.Two-Factor Authentication – Two-factor authentication, also known as 2FA, requires not only a password and username but also something that only your employee has access to such as a physical token or token-generating app. Use 2FA to secure high-risk network services like VPNs or third-party web services.
3.Anti-Virus Defenses – Always enable and keep updated anti-virus defenses at vulnerable locations such as firewalls, email gateways, and employee workstations.
4.Change Management – When your employees are comfortable and familiar with a well-documented change-management process (rather than reacting off the cuff), they’re less vulnerable to an attack that relies on a false sense of urgency.
5.Information Classification – Ensure that confidential information is clearly identified, uniquely secured, and handled as such.
6.Document Destruction – Confidential information should be shredded rather than thrown into the trash or recycling.
7.Data Destruction – Electronic equipment and storage devices should always be responsibly disposed of using an R2 certified recycler that provides specific data destruction services and documentation.
Most important of all is building a security-aware culture in your business. Educate your employees on the real-world damage done by such theft to other companies. Empower your employees to recognize threats and make smart security decisions on their own. Embed security awareness deeply in the minds of your employees and ensure that employees at every organizational level feel comfortable with reporting anything suspicious.
Colden Company can provide your business with several security services to keep your business safe. We offer managed antivirus, regular security assessments, vulnerability scanning (internal and external), hacking detection, systems patching and updating, perimeter security services, and other technology-enabled solutions to protect your business. In keeping with the topic of social engineering, we can provide security awareness training to your employees as a first step in embedding a security awareness in your business. Building awareness is the single most important step you can take to keep ahead of the criminals.
Don’t be a victim or another FBI statistic! Contact us today at (888) 600-4560, email us, or visit us on Facebook or Twitter.