Whilst cyber attacks on major organisations or governments are increasingly hitting the front pages, hackers still have plenty to gain from attacking smaller organisations.
In the government’s latest Information Security Breach Survey, 74% of small and medium-sized businesses reported that they had suffered a breach.
One of the most commonly used tactics in cyber attacks against smaller businesses is social engineering.
While social engineering can take on several forms — such as phishing or baiting — these attacks have one thing in common. They all target a link in the chain that is very often overlooked in security strategies: humans.
The social engineers work to deceive employees by passing themselves off as service providers or individuals from within the organisation in order to gain access to confidential data, make a bank transfer or penetrate the company network so they can encrypt data and demand a ransom.
In most of these scenarios, the social engineering element typically forms part of a larger cyber attack.
In order to successfully carry out these attacks, hackers gather information from company websites and social networks so they can imitate the employee or service provider whose identity they have assumed as convincingly as possible. This enables them to deceive the target victims and make them complicit in committing fraudulent acts.
Combining several pieces of data allows an attacker to create a plausible scenario to present to the target. By coming up with a pretext, the attacker can convince the victim to take a desired action.
For example, they could convince the victim to visit a website of the attacker’s choice. If the attacker already knows what operating system and browser the company uses, it’s easy enough to design an attack specifically for that environment.
A successfully implemented social engineering attack is quite often how serious threats end up on otherwise well-protected networks.
A determined social engineer will keep poking around until he finds the crack in the armour. That crack could come from social media, a careless conversation, an unsecured computer, some misplaced paper, and so on.
The more persistent criminals may spend months researching a target before ever contacting the company, but even a few hours of prep time can result in a successful attack.
Of course, just having a security policy isn’t good enough — employees have to be educated about the risks and follow the policy without exception.
To minimise the risk of falling victim to social engineering attacks, companies should follow these three golden rules.
1. Educate your employees
Even with the best cyber security solutions in place, if the humans behind them are not aware of the dangers, the network will remain vulnerable.
It is essential that every company educates its employees about the various social engineering techniques used by hackers. If they know their enemy, then they stand a fighting chance of adapting their behaviour and picking up on the first signs – however minor they may seem.
A few guidelines are indispensible. Check the email address of the sender. Ensure that it features all of the company’s corporate elements. Do not click on suspicious links. And, if in doubt, call your colleagues directly to confirm that they really are making a bona fide request.
Companies can run workshops either internally or with the support of a security service provider. These give employees the opportunity to work through some light-hearted exercises based on simulated scenarios.
2. Put in place an email filtering solution
The vast majority of social engineering attacks are carried out via email. Therefore, a good email filtering solution can neutralise some of these attacks before they even reach users’ inboxes. Such solutions can scan the content of an email before it is received, and detect any corrupted attachments or links.
3. Implement strong data governance
Data governance is a set of processes and policies that are put in place to ensure that important data assets are formally managed. It helps make it clear to employees exactly what data they are or are not granted access to.
Various levels of access should be implemented, making sure that only those who need to work with strategic and confidential files have access.
>See also: The 2016 cyber security roadmap
Some social engineering attacks are not carried out to breach the company’s IT systems, but simply to encourage one of the employees to perform an action such as making a bank transfer or sending confidential files or bank details to an external party.
In this type of scenario, good data governance can add another layer of protection because the targeted employee will not necessarily have access to the data.
The attacker would either lose interest and move onto the next target or be forced to target other employees, thereby maximising the chances of someone discovering the attack.
Sourced from Wieland Alge, VP and GM EMEA, Barracuda Networks