Modern day social engineering is a big problem for small businesses, here’s why…
It may sound like a confusingly mechanical term that only IT experts could fully understand but social engineering is, in essence, pretty simple. It is the art of deceiving people to gain confidential information which can be used to commit fraud.
In the case of information technology, social engineering is generally the act of trying to steal data like login details, financials, account info, or install virus or malware on your system to allow access to information, and therefore, money.
While this may seem like more of a problem for the consumer, attacking companies is big business for cyber criminals. In 2014 the RSA said the cost of social engineering on global organisations stood at approximately $4.5 billion. And all the signs show that this isn’t likely to slow down. In a honeypot style test, researchers from Imperva also found that stealing company information, in particular, was of high value to criminals, with 25% of attackers choose to target businesses over individuals.
Small business, with their often-limited resources and lack of time, are some of the easiest to attack.
What are social engineering attacks common for businesses?
The most common type of social engineering attack is a mass market email phishing campaign. However, spear phishing is an attack that is of most risk to businesses as they are harder to spot. Spear phishing usually targets a high-level employee of a company with emails, telephone calls, or messages that seem to come from trusted sources within the company.
Social engineering attacks via social media are now becoming more popular, with criminals manipulating user trust (by having fake testimonials, thousands of followers or likes, or professional looking photos or realistic looking engagement) to glean information. In early 2017, SecureWorks reported that a social engineering attack called Mia Ash had effectively used fake Facebook and LinkedIn profiles to send targets an attachment containing malware, which allowed the attackers to take complete control of a victim’s system.
Similarly, social media lends a helping hand to attackers’ email phishing campaigns as they can easily get a list of company employees from a site like LinkedIn and then create emails that look like they are coming from a co-worker to lure people in.
While it may seem surprising that people fall for this kind of attacks, they can be incredibly sophisticated and it only takes one person to become a victim for the whole business to be put in jeopardy. From hacking a business’s cloud services to pretexting (attackers making calls to ask employees for passwords) and business email compromise, the type of social engineering plots is increasing and businesses struggle to keep up with protecting themselves against the risk.
How do we protect ourselves from social engineering?
It’s not going to be possible to protect your business from all social engineering attacks, cautious monitoring of IT systems and layered protection will help businesses stay safer. Cyber security providers employ breach detection systems that help to improve the time it takes to respond to an incident and support businesses as they try to keep up with social engineering attacks. The systems watch over and guard network communications and observe analytics behaviour so threats are easier to identify and respond to.
Businesses will also have more success if they take a data-centric approach to protection, using encryption and other such means to keep information as secret as possible. Basic security controls, like using endpoint security tools, can help to a point, but focusing on the likely victims of an attack – the employees themselves – will ultimately yield better results.
Companies searching for ways to lower the likelihood of becoming a victim of social engineering should start by creating an office culture where it is standard to query what’s being asked of them, and to report all suspicious emails, calls, or messages, whether they’ve been fallen for or not. Social engineers prey on our innate drive to cooperate and to not ask questions of those in a position of power or service (like a CEO asking for a bank transfer to a private account, or an IT team member requesting a password to help solve a problem) so raising awareness of this in the workforce will help to mitigate the risk.
Ultimately the best way to learn is through experience. Security awareness training for employees is therefore of paramount importance, and with social engineering (and particularly phishing) one of the best ways to learn is through interactive simulations.
Phishwise is an online learning platform we’ve developed to help businesses and their employees understand and identify phishing attacks and allow humans to become the first line of defence against social engineering threats.