When you think of cyber attacks, you most likely think about a mysterious hacker working alone from a darkened room, clicking away at a keyboard and mouse, bathed in the eerie blue light of multiple computer screens. But today’s phishing scams and other cyber attacks rely on a far more insidious means of gaining access to valuable data and secure physical facilities – social engineering.
What is social engineering? A social engineering attack is much like a traditional con; in it, a scammer uses manipulation, social niceties, and a target’s naivete or inattention to protocol to access facilities or data. Sixty-six percent of cyber attacks rely on social engineering. Are your employees capable of recognizing and resisting such an attack?
Recognizing Potential Social Engineering Attacks
Social engineering attacks tend to use specific scenarios. Often, phishing, ransomware, and other malware attacks that target companies reach their targets via the email inbox, according to Digital Guardian. All employees of a company use email for intracompany communications and even for communications with clients, customers, and helpdesk support staff. And social engineering helps scammers tailor emails to pull the wool over targets’ eyes.
Provide regular training on avoiding phishing scams and suspicious emails, and drill into employees that they should be suspicious of emails that compel them to open a link or download an attachment. Teach employees to double-check sender emails to verify their source and hover their cursors over links to make sure said links aren’t malicious. When in doubt, avoid clicking links or opening attachments in an email without first verifying its authenticity.
Email isn’t the only means of launching a social engineering attack, however. Sometimes, these attacks are launched in person. Scammers may search through the company dumpsters for sensitive documents that haven’t been shredded, or devices thrown away with still-retrievable data on them. A scammer may talk his or her way into sensitive areas of the facility by pretending to be an employee, claiming they’re new or that they forgot their badge, or even wearing a company uniform and fake ID tag. Once they’re in, the scammer could steal equipment or data, install malware on company computers, or damage company servers or other equipment.
Scammers may talk their way into a facility by naming an alleged supervisor, or by waiting for a real employee to enter and then following behind them – a practice known as “tailgating,” which takes advantage of the ingrained social tendency to hold open doors for people. To facilitate this practice, a social engineering hacker may pose as a delivery person with his or her hands full of packages, including food or drinks.
Still others will rely on phone communication to gain sensitive data from your employees. They may call IT claiming to be an employee who needs to change his or her login credentials. Sometimes, they’ll pose as a customer or client, asking lots of questions about the company or a specific staff member, and even trying to gain the contact person’s trust so they can wrangle more information. In this way, they can get the data they need for a very targeted attack on a specific employee, or they can use a false sense of rapport to manipulate an employee into granting a risky favor.
Training Tips for Employees
Any network security solutions you implement should include comprehensive, and frequent, employee training sessions to help them recognize social engineering attacks and fend them off. Mandatory, regular training sessions for all employees can keep them alert, and help them feel empowered to push back when someone calls or shows up asking to bend the rules of safety protocol. A combination of tabletop exercises, sharing sessions, mock scenarios, online modules, and drills can help drive home the importance of remaining vigilant in the face of what will likely be repeated attempts at social engineering attacks.
Create a down-to-earth policy for data and facility security that employees can easily understand, memorize, and follow. Post reminders in public locations. Incorporate information about social engineering into all messages and trainings about security, and encourage employees to put security first. The goal is that your employees should enter all interactions, whether by email, phone, or in person, with security in mind.
One good way to drive home the message is to have security consultants test your employees’ adherence to security protocols regularly. Consultants will try to gain access to sensitive areas without the proper clearance, through such means as posing as delivery or janitorial staff, taking badges and IDs from unsecured vehicles in the parking lot, attempting to tailgate into secure areas, posing as a new employee, or simply talking an employee into sharing access or information.
While malware and computer viruses remain a threat to your company’s cyber security, social engineering attacks may present a bigger risk. With these attacks on the rise, it’s vital that your employees be on the lookout, so they can avoid the kinds of security mistakes that cost companies millions.