Businesses usually assume that they know what to avoid when it comes to social engineering scams. Emails from a ‘Nigerian Prince' that you've never heard of asking for money, or a dodgy-looking email asking for bank details will usually be swiftly deleted.
But social engineers are infiltrating organisations in increasingly complex forms. Whilst traditional email scams are well known, other forms of social engineering are much subtler, and can appear in the form of a “technician” coming into a workplace and physically hacking a machine, or a cleverly designed and personalised spear-phishing email that claims to be from your CEO.
That said, you would have to be pretty inexperienced to fall for a social engineering scam, right? Wrong. Anyone can become a victim of a social engineering attack – in May last year, Waltar Stephan, CEO of plane part manufacturer FACC, believed an email purporting to be from another senior member of staff was real, and took part in a ‘secret transaction' which cost the company about £39 million. Another infamous example is that of the breach at security company RSA in 2011, in which two small groups of employees were targeted. These groups, RSA explained in a blog post, wouldn't be considered ‘particularly high-profile or high-value targets'.
The fault that makes us such ideal victims of social engineering scams lies in our own human nature. These attacks target individuals, and take advantage of trust and naiveté. This is why it's important for businesses to encourage employees to be more suspicious and train them to spot potentially malicious content.
Defending against this threat is increasingly important as social engineering is becoming more inventive, more sophisticated, and more widespread. A study by Proofpoint found that social engineering was the top attack technique in 2015 for beating cyber-security defences.
Employees are, and always will be a businesses' weakest link when it comes to security. Many will have access to sensitive corporate information, and more junior members of staff in particular may not be aware of the potential consequences of this information falling into the wrong hands.
In an increasingly connected world, hackers will look for ever-more creative ways to target an individual. Plenty of information is easily available online, with even more data there to be accessed following a string of data breaches. This data is certainly enough for any social engineer to impersonate a close friend, colleague or authoritative figure, and trick an individual into revealing sensitive information.
With these social engineering techniques becoming more sophisticated, how can businesses avoid becoming victims of social engineering? Firstly, the importance of education cannot be overstated. This should cover basic cyber-security hygiene such as regularly changing passwords, not clicking on links or attachments that they may not be sure about, and keeping antivirus software up to date. Having security savvy staff benefits any business and will only become more important.
Employees should also be encouraged to question even seemingly normal processes. In companies with complex supply chains, this may be difficult, as emails will frequently arrive from suppliers or contractors. However, individuals should still question anything out of the ordinary.
Having all of these practices in place will help, but if the worst does happen, it's important that staff feel that they are able to report any incident that they are worried about to a dedicated individual or team.
Even the most well trained staff will sometimes accidentally click on a malicious link, so education can't be relied on completely. In some cases, individuals are understandably keen to open that attachment in an email that claims to be from their CEO. This is when companies have to step in and save employees from themselves with proactive and relatively simple security measures. This can include limiting the access of users to important files and prevent them, or anyone who has control of their device, from making changes to the settings of the network. This can be particularly important for junior members, who are often the first target of social engineering attacks as they may not understand the value of the data that they are handling, but if they have no access to corporate information, they are no longer a threat.
Sandboxing will also prevent attachments or downloaded files from having a negative impact on the company, as it will isolate any threat and prevent it from spreading through a corporate network. Application control should help to limit the damage that could potentially be caused by a user downloading malware accidentally, even if that user is a CEO who has access to all sensitive data.
Basic cyber-security measures can help to stop most social engineering attacks – companies and their employees just need to be aware of the threat, and be prepared by getting the foundations of cyber-security right. Proactive but usually simple security measures are often all that is needed to mitigate the vast majority of threats and provide businesses with peace of mind.
Contributed by James Maude, senior security engineer, Avecto