We know cyber attacks are getting far more sophisticated, ransomware attacks in particular are becoming far more focused, and data is always a target.
Social engineering is a relatively new term in the cybersecurity sphere, and it refers to attacks where criminals use information they have gleaned to trick employees into revealing even more sensitive information or downloading malicious files. Once these cybercriminals gain a digital foothold in a corporate network, they can steal valuable data or pursue a ransomware attack.
A recent GetApp data security survey, as reported by Small Business Trends, found that only 27% of companies provide social engineering awareness training. GetApp says:
“That means nearly 75 percent of businesses could be leaving their employees to fend for themselves against masters of manipulation. Companies must train employees on how to recognise social engineering techniques that are designed to exploit human nature for access to sensitive company data.”
It also found that 8% of employees have received no cybersecurity training at all. Small Business Trends notes that a previous survey found 43% of all cyberattacks hit small businesses. Of these businesses attacked, 60% will go out of business within six months.
What is a social engineering attack?
A social engineering attack is a cyber attack that uses some form of “psychological manipulation” to trick an individual into breaching their own, or their employers, security. Cyber attackers can use phishing emails, social media, and research, to find personal information. GetApp warns:
“This includes conducting background research using social media, corporate websites, Google maps, and public records. Armed with this knowledge, scammers are able to conduct their schemes inconspicuously, put employees at ease, and even build a rapport with their targets.”
Cybercriminals can use information to engage employees or try and form a relationship and open a line of communication where they can find out what they need to complete an attack. Cybersecurity software provider Imperva says:
“A perpetrator first investigates the intended victim to gather necessary background information, such as potential points of entry and weak security protocols, needed to proceed with the attack. Then, the attacker moves to gain the victim’s trust and provide stimuli for subsequent actions that break security practices, such as revealing sensitive information or granting access to critical resources.”
Imperva produced the following graphic to detail a social engineering attack’s life cycle.
Security aware employees can help to protect your business
Social engineering attacks rely on human error. Here at The Defence Works we penned a previous blog on how individuals are the last line of defence against email cyber attacks. Proofpoint’s Annual Human Factor Report found that 99% of phishing attacks rely on unsuspecting victims clicking unscrupulous URLs. Add social engineering to this mix, if cybercriminals use personal connections or information to make a phishing email look even more convincing – it’s even more likely to be opened, a link clicked, and a malicious file downloaded by an unsuspecting employee.
Imperva says social engineering attacks can take the form of baiting, scareware, pretexting, and phishing and spear phishing attacks.
Baiting could be leaving a malware infected flash drive where a curious employee could pick it up or sending an enticing advert.
Scareware, or deception software, might trick an individual into thinking their device is already infected prompting them to install the software containing the real threat.
Pretexting can involve a cybercriminal pretending to be someone else to gain information or to get someone to perform a task. Imperva says:
“The attacker usually starts by establishing trust with their victim by impersonating co-workers, police, bank and tax officials, or other persons who have right-to-know authority. The pretexter asks questions that are ostensibly required to confirm the victim’s identity, through which they gather important personal data.”
Let’s not forget a cyber attack this year saw the CEO of a UK energy firm swindled into transferring €220,000 to who he thought was a supplier after cybercriminals used artificial intelligence (AI) powered software to impersonate the voice of his boss in a telephone call.
But, educating your workforce about these risks doesn’t need to be a complicated or dull affair. In fact, organisations should try to ensure the training given to employees is interactive and engaging – making the lessons more memorable and also giving employees the opportunity to experience a “real-life” situation. At The Defence Works, our Interactive Episodes do just that – created brand-new, each month and always based on a recent, real-life event, they’re a great way of educating the workforce in a modern, engaging and fun way.
Engage your staff with scenario-based security awareness training or “In-the-Moment” training.
A comprehensive and holistic cybersecurity strategy is essential
The cybersecurity software firm warns that “social engineers manipulate human feelings, such as curiosity or fear, to carry out schemes and draw victims into their traps.” They recommend the use of multifactor authentication for accounts and logins and always ensuring antivirus and antimalware software is kept up to date. And, avoiding suspicious emails and offers that sound too good to be true.
These latter points are part of security awareness, a vital ingredient of an overall cybersecurity strategy that should include cybersecurity software, systems that protect data, and regular assessments of strategy and software and network vulnerabilities.
On reporting GetApp’s findings of a lack of cybersecurity and social engineering risk awareness training, Small Business Trends writes:
“Investing in enterprise cybersecurity alone is not going to cut it. small businesses need to invest in regular training for their employees in order to fully address this threat. This will help in adding yet another layer of protection for the company’s sensitive data.”
Europol’s just released 2019 cybercrime report also pointed to the need for cyber education.
There’s no better time to start educating your workforce about the dangers of social engineering. Try our free demo to get started, today.