Cybersecurity will always be much more than the latest security software or hardware gadget out in the market. At the end of the day, your business’s cybersecurity hinges on the people that designed the computers and software you use and the people that use them. I make the above statement with the caveat that cybersecurity is also dependent on the people that try to circumvent your business’s cybersecurity controls. This is the eternal game of cat and mouse that existed long before computers and will exist well into the future. Fraudsters and thieves have been the predators of the innocent and hardworking since the beginning of time. In fact, nearly all the world’s belief systems have a fraudster, trickster, or thief ingrained in them. The serpent in the Garden of Eden, Loki in Norse legends, the trickster as a coyote that takes many forms across different Native American tribes all play the same role. So, it should come as no surprise that the fraudster continues in the digital age. That isn’t to say the fraudster is supernatural. Instead, the fraudster is all too human and preys on human vulnerabilities to get through all the controls we put in place to keep them away from our treasures. The following is a brief introduction to social engineering, phishing, and the steps you can take to help secure your business.
What is social engineering?
Social engineering is the act of playing on people’s expectations and cultural norms to gain unauthorized access. I like this definition because of the ambiguity of “access.” In terms of cybersecurity, the access could be to specific networks, accounts, or software packages. However, social engineering is not only about computer access. Social engineering can be used to gain unauthorized access to a physical location. I am a firm believer that as long as you can make others believe you belong in a restricted area, your presence will likely go unchallenged. There is also the use of props for the sake of gaining access. There are multiple YouTube videos where people gain access to restricted areas by simply carrying ladders with them. Less cumbersome than a ladder but equally effective is a box of pastries and carafe of coffee. People are inherently helpful and will hold the door open for someone that is clearly carrying goodies for the rest of the office. Unfortunately, our good will is exactly what is being exploited. Most security incidents, both physical and cyber, occurred because of some successful level of social engineering. While cybersecurity incidents still have a technical component (exploiting security vulnerabilities), the idea of solely using technical exploits is outdated. Another method of social engineering is the use of restricted timelines and a sense of urgency. We see this employed often as a legitimate sales tactic; “limited time offer” and “first 50 callers get an added bonus.” When it comes to social engineering it is often used with an order from a superior asking for sensitive information that needs to be delivered immediately. This is where social engineering often meets the technical realm in cybersecurity in its implementation with phishing emails.
What is phishing?
Phishing is a tactic that uses emails that have been sent from seemingly legitimate sources to members of a company to get them to click a malicious link or disclose important information. Phishing emails often use a senior business officer’s name and email address coupled with a message that imparts a sense of urgency to get the recipient to act. Using the senior business officer’s email address can be done by spoofing (falsifying the address) or by using an email address that is very close to the official address but off slightly, email@example.com (real) vs firstname.lastname@example.org (fake). The sense of urgency is where the social engineering and phishing intersect. Another combination of social engineering and phishing is the use of amazing deals from well-known retailers with links to the deals. These links may redirect the recipient to a fraudulent web page that will collect their account information as they attempt to login or may cause a malicious software package to download. In either case, the attacker has manipulated the recipient into creating an opportunity to steal information or infiltrate a system by technical means.
What can be done?
All is not lost. There is a way to help your people become more resilient to social engineering and phishing attacks. Thankfully, it is as simple as 1,2,3 and it does not preclude them from being nice people that hold open doors..
Training your people to recognize what social engineering and phishing attacks will have a greater impact on their susceptibility to identify both. Understanding how these tactics work and whom to report suspected cyber attacks will greatly decrease your business’ exposure to those attacks.
Have regular phishing simulations conducted to reinforce lessons learned. It is not enough to train people on the dangers of phishing attacks, they must also be able to spot them and remember the reporting guidelines in place at your business when such attacks occur.
Phishing simulations also allow you to collect data regarding who may need additional training (for example, personnel that continue to click through phishing simulations). A training program that is not reinforced with practice and cannot be quantified with efficacy data does not provide value to your business.
While fraudsters and tricksters will always be among us, we do not need to make ourselves easy targets for them. By learning what systems the fraudsters and tricksters exploit (in this case our humanity), we can stop them before they take advantage of your people and your business.
Quantum Vigilance can help you identify risks and vulnerabilities in your business’ information technology ecosystem. Implementation of a cybersecurity awareness training program that focuses on those risks and vulnerabilities will also decrease exposure to social engineering and phishing attacks. Our goal is to always provide cybersecurity guidance you can understand that will help your business thrive in the face of cyber incidents.