How Education and Team Effort Can Protect Your Company.
What is Social Engineering?
This year IBM reported that the "global average cost of a data breach is up 6.4 percent over the previous year to $3.86 million."
Every day, hundreds of people are getting calls from Google, the IRS, and various other commonly known entities. It always starts with them informing you that you either owe money or that your computer has been compromised and they need immediate access.This is considered social engineering.
These small business scams of today emerged from versions of advance-fee scams(a form of fraud that involves people giving money in hopes of some sort of return) like The Spanish Prisoner scam of 19th Century and the Nigerian Prince email scams from the last decade. The evolution from advance-fee to internet scare tactics happened because we all rely on the internet, at least most of us do. And, our inboxes got smart about marking spam as spam but our phone providers haven’t.
You may be laughing to yourself because you know better, but there is someone out there that will feel scared enough to take the bait (shout out to my Grandma). This trick is getting old for the majority of people but all that it takes is one slip-up to topple a tower as companies continue to depend on the internet for business.
Social Engineering involves the attacker using any means to gain trust with the victim before taking advantage of them. Attackers often use familiar key points to build authority and take advantage of their victim. When you get a call from “Google” you are familiar with that brand, but most people need a bit of an extra push, so the attacker also takes advantage of what the victim doesn’t know. Most people use computers every day but they don’t know how they work, or what “malicious viruses” are capable of. This common scenario is known as pretexting, where the victim is prompted for immediate action, otherwise, there will be an imaginary consequence.
Risky Business (No not the movie)
Social Media
Social media is a continuous risk for companies, it provides information that can be used for more targeted attacks and provides a platform for information to be shared quickly. An employee could release valuable information on the company that can be provided to a competitor. Any type of insider knowledge can affect stocks and public image.
Yes, we’re all well aware that Jessica hates her job, but we also know key information like her job title, favorite colors, pets, and mutual friends. With this information, you can guess passwords, familiarize yourself with her coworkers and strike up a friendly conversation. Perfect for tailgating or gaining trust within a social circle.
Mobility
Mobility is tricky. It’s a lot safer to have in-house servers, programs and fail-safes; however, employees have their individual goals to complete, opening up the doors to using tools that are not provided by the company. Devices like private cellphones are a major risk to any company for their employee using the device to sign into work programs or make business-related phone calls.
BYOD (bring your own device) is one of the more concerning routes that companies are going in. Although useful in cutting down equipment costs, there are no guarantees on what information will be shared from that device.
Our next big issue is that laptops and mobile devices with sensitive information can be stolen. Or if a personal device is used, you can accidentally leak important information; for example, in 2017, a fitness app released a GPS map allowing people to find military bases. Even more alarming, it allowed users to track military personnel as they jog, creating detailed heat maps that could be used against them.
Take in careful consideration of what information your employees have access to. Help them minimize the risks of oversharing data that can negatively affect your company.
Shadow IT
Shadow IT is the use of products outside of what’s provided by the company. This is particularly hard to control because the user may not realize that using outside tools is a hazard to intellectual property. Companies give their employees a task, and employees become resourceful in completing that task.
Sometimes it’s more convenient to go with an outside product, or perhaps the tools that have been provided to the employee are not complex enough to complete the task (this can also be that the employee is not skilled enough to use the tools provided.) This is where we run into employees seeking out and using outside products, like add-ons, cloud-based storage, and apps.
To help prevent an employee from downloading software that can lead to virus attacks, offer plenty of resources and training opportunities to get employees familiar with the various tools that they are able to use. A download manager can also be helpful in filtering out any problematic extensions or software that an employee may try to download.
The Lowdown on Common Social Engineering Attacks
Tailgating isn’t just for cars
How many times have you been in a situation at a resort where someone has left their pool key back at their room. They ask you to let them in the gated area, or vice versa. The odds are high that as long as they look the part, you’ll let them in.
This is a dangerous scenario for companies. There’s a reason why people are required to sign in. If an unauthorized person has access to the floor, then they can easily steal passwords, drop infected USBs, and gain access to private information.
There was a time when I worked for a company and a coworker forgot his sign-in badge at home. Instead of going to the front desk to get a temporary day badge, he decided to tailgate into the office all day. This is a huge issue for numerous reasons. One; it is a safety hazard. If we have a fire or an emergency requiring us to leave the building, the company has no way of knowing he is there for the day. Two; none of these employees know if he’s still an employee, he could have been fired the day before and has come back to seek revenge on the company. Three; letting someone tailgate is sharing responsibility if something goes wrong. It also shows the blatant trust that employees have for someone labeled as their “own.” I guarantee that he didn’t know EVERY person he was tailgating. So if tailgating is not an issue for fellow employees it’s definitely not an issue for anyone looking for unauthorized access.
Baiting
“I’ve never been good at fishing, but we’re referring to cybersecurity in this case.”-me. (This is how quotes work right?)
Baiting is when the victim is presented with an item that will spread malware once used. It can be a CD, USB, a script or any other item that can spread malware. Think of it as a Trojan Horse from the legendary story of Odysseus (or the movie Troy). A common issue is when a client sends over information in a USB, and the USB hasn’t been checked for malware by your in-house security team. Very rarely will an employee submit an item to the in-house security team. This can lead to malware being uploaded into the computer system.
Phishing Emails (they’re tricky)
Phishing is extremely common, and for good reason. It has a very high success rate and it isn’t a very time-consuming process. Phishing is the process of creating an email or website that shows authority, and sometimes combines pretexting in order to prompt the receiver into action. Phishing emails depend on the receiver to click on a link to either take them to a malicious website or to download a hazardous file.
Best Business Practices to fight off social hackers
1. Start off with a Strong Foundation:
Educating yourself and your personnel is a huge part of securing your infrastructure from cyber attack risks. Having a proper training course to identify and avoid risks that your employees have continual access to is a major asset to any company that has something to lose.
2. Make Cybersecurity a Team Effort:
Sharing the responsibility throughout the company makes team members more likely to reach out for help before potentially falling prey to common social engineering techniques.
3. Manage Shadow IT by Empowering your Employees:
No one likes extensive bureaucratic regulations being enforced, but when it comes to protecting sensitive information, the red tape does serve a purpose. But, being proactive and providing employees with the necessary tools to complete their tasks and showing them how to effectively use these tools lessens the need for more dramatic restraints. And, if they have specific programs that they want to use, encourage them to submit it to IT for approval before using.
4. Communicate who your Vendors are:
Communicating to your employees who your vendors and maintenance are, and what days they will be in the building. Stress to always have them direct any questions to the management of utilities. Let employees know that it is perfectly acceptable to express concern to the management of anyone in the building that does not meet the descriptions provided to them.
The Weakest Link Conclusion
As you can see, people are easier to “hack” than a standard website with security practices in place. Having a course in place to show your employees how to protect themselves and the company from outside threats is a must, monitoring and collecting information will be your friend. Preparation and implementation are key to protecting your data within your company. It’s important to not only plan for an inevitable leak but to also prevent unnecessary leaks.
Can you please share or clap this post? It helps out a ton! Thank you for the support 🙂
AKOS works with businesses and nonprofits build their digital presence and systems for maximum impact. Learn more and get in touch with us at akosweb.com/contact.