Welcome to part two of our blog series on protecting your business from a cyberattack! Last month we discussed the first step in securing your company, which is doing a security assessment and getting a lay of the land when it comes to where your defenses currently are and where they need to go.
While that security assessment is always the first step in bringing your cybersecurity in line with today’s threats, the rest of these steps from this blog forward aren’t as strict in regard to the order you have to put them in place. It might make sense to do them in a slightly different order than we present them if it’s easier to fit specific tasks into your schedule at a certain time or align them with your overall IT roadmap.
Of course, you could also tackle one of them each month or so, following along with our blogs as they release! Regardless of the order, these are all areas where we highly recommend you focus your cybersecurity efforts.
That’s enough preamble—let’s get on with it, eh?
What is social engineering?
If we’re going to talk about training to prevent social engineering exploits, it’s a good idea for us to get on the same page on what social engineering is. It’s broadly defined as a manipulation (or series of manipulations) that exploits human error to gain private or protected information or access. In other words, it’s when someone with access to a company’s network or private data—which is probably everyone in the company, as well as some third-party partners—is tricked into giving a malicious actor access that they wouldn’t have had otherwise.
Compared to something like a brute-force or DDoS attack, social engineering attacks are subtler, can happen without anyone noticing an unwelcome entity is in the system—and they’re a lot more common.
And as opposed to hacking attempts that look for holes in a company’s digital defenses, these types of attacks take advantage of human nature to essentially be welcomed in through the front door. Humans have emotions; we care, get angry or frustrated, and we implicitly trust that most people are being honest with us. Each of these (very natural) human emotions is a potential avenue for a professional to manipulate an employee and gain access to data they want to steal.
This is why training all employees, not just IT and security staff, is essential in fending off social engineering efforts.
Examples of social engineering attacks
We’ve all heard the stories about emails from a supposed “Nigerian Prince” or down-on-their-luck individual that just needs a small influx of cash to regain access to a much larger wealth—which, of course, they will use to pay us back tenfold for our kindness!
These are widely known in 2022 as scams, but some years ago they were very prevalent social engineering tactics—and, to a degree, successful in duping either the gullible or the technologically uninformed. Today, we all know not to click on the links these emails offer us or to send our banking or personal information to a stranger.
But a lot has changed since those days, and it’s not always that obvious when a bad actor is trying to manipulate you. Hackers and professional criminals are using tactics far more complex than maybe people realize; here’s a more recent example of the kind of thing that can happen.
A receptionist working in a software company’s office is going about her day when a young man walks up to her desk. He appears to be in his late twenties, and appears a little disheveled, like he is running late—his shirt isn’t tucked in, and he appears a little nervous. Otherwise, he looks very normal.
This man tells the receptionist he’s here for a job interview, but it’s almost the top of the hour. He asks her if she could do him the favor of printing his resume off of his flash drive while he cleans up in the bathroom and gathers himself for the interview.
The receptionist, who is moved by compassion for this person who seems to be down on his luck, is happy to help out with this very simple and reasonable request. She takes his flash drive and points him toward the restrooms. She plugs that thumb drive into her desktop, and, before she’s even clicked “print” on the Word document resume in it, the company’s entire network has been compromised from the malware hidden on that drive.
This example has all of the hallmarks of effective social engineering attacks: it was quick, relied on human emotion to gain access, and it gained the hacker access to sensitive data without anyone realizing that it had occurred. Likely, it would be some time before anyone even realizes the company’s data has been compromised.
What you can do to prevent social engineering attacks
It’s important to note something about the above example. The woman who was manipulated into giving this criminal access to the company’s network and data didn’t do anything inherently wrong. Her compassion was just taken advantage of. You don’t want to make your employees stop being compassionate; they just need to know the risks of their actions and how to watch out for social engineering tactics. Phishing attacks and the like are so popular among criminals because they’re effective; often times, human nature is seen as an easier path to the treasure trove of a company’s data than the path through digital defenses.
That’s where training comes in. There are two ways to train your employees so that your team can’t be taken advantage of as easily. First, there are resources that employees can read or watch to learn about and become acquainted with the types of scams and maneuvers social engineering attackers use. While these are undoubtedly useful, the second way, with hands-on courses, tests, and seminars that will give employees a taste of what it feels like to be at the receiving end of such a manipulation campaign—is incredibly valuable. We learn best by doing, after all.
Companies like Mission Cyber Group, and our partner KnowBe4, can serve as security consultants that help train a company’s employees in defending against social engineering attacks. This is extra valuable when compared to do-it-yourself videos and readings because a professional security company can tailor the training to the specific contexts of the organization and its employees.
It’s the System that Needs Work
There are professional organizations out there that exist to go after companies’ employees using manipulation techniques that are hundreds of years old (such as the old “confidence man” routine)—but updated for modern times. Today’s organizations need to be prepared, and it’s usually the system of training that needs work; your employees shouldn’t be punished for being human. Rather, you can empower them to be another strong link in the chain of defenses around your company’s sensitive data through a thorough and expert training program.
Malicious actors are only getting more sophisticated in their lines of attack; if you want your employees to stay up to speed with the best ways to protect your organization, drop David at Mission Cyber Group a line at [email protected], or reach out to us on our Contact page.