The statistics are alarming. By mid-year 2021, the vast majority of breaches—85%—involved a human element. And 91% of breaches start with a phishing attack. These social engineering schemes put your employees squarely in the crosshairs of hackers, so it’s critical that you reinforce secure cyber defense practices with your staff. A successful attack can be incredibly costly in terms of downtime and damage to your business’s reputation – not to mention the costs that follow if you can’t get your data back at all.
A cyberattack can undoubtably damage your business, but it can also impact your people. IT teams get hammered if a breach is successful. Fingers get pointed, and questions get asked. Culpability can reach up to the C-suite. But even that is changing, as fault reaches down to the front-line employee that initiates an attack by opening an infected PDF or clicking on a malicious link. If that employee should have known better, they are now frequently being fired. Those are serious consequences.
Attacks are more targeted
While everyone in your organization is at risk from a cyberattack, bad actors are focusing more and more on those areas where they can do the most damage. IT teams are at the top of that list because admin credentials are like the proverbial keys to the castle—getting past someone with those credentials grants access to some or even all of your company’s systems. And, while IT teams are technology experts, they don’t necessarily have the deep cybersecurity expertise to effectively fight off and respond to attacks. Executives are another prime target—especially CEOs and those in finance—because they offer an avenue to bank accounts, wire transfer information, and a trove of other confidential data.
Start with employee cybersecurity training
It would be unfair to hold any employee accountable—from the C-level to the front lines—if they didn’t know how to identify an attack. That starts with an effective cybersecurity awareness training program, where they learn to recognize and avoid cyber threats. Regular, ongoing training is the most effective way to help employees make smarter security decisions every day.
One key area that any cybersecurity training program should focus on is user name and password best practices. Far too frequently, people use the same ones across multiple accounts. If any of those accounts get hacked, the door is wide open to an attack because those user names and passwords can end up for sale on the dark web.
Recognizing social engineering attacks
While there is no substitute for an effective training program, there is also no time to waste preparing for attacks. With that in mind, I’d like to share a few key ways (criminal) social engineers gain access.
Phishing and its variants
As noted above, more than nine out of ten successful breaches start with a phishing attack. That means this form of attack should be top of mind for every employee in your business. Phishing is when a hacker sends a fraudulent email disguised as a legitimate email, usually from what appears to be a trusted source. Here, the goal is to trick the recipient into clicking on a link or opening a file that installs malware, or sharing other valuable information. Spear phishing has the same objective, but each attack is designed to trick a specific person or organization. Whaling is another form of phishing attack that goes after one particular individual, but in this case, the target is a high-profile employee, say the CEO or CFO. And business email compromise (BEC) attacks occur when hackers send emails purporting to be from trusted senior staff members.
A growing list of attack tactics
While phishing stands out as the number one form of social engineering attack, there are many others. These include everything from angler phishing, where an attack is carried out via spoof customer service accounts on social media, to pharming, where web traffic is redirected from legitimate sites to malicious clones. A well-structured employee cybersecurity and social engineering awareness program will help your employees stay on top of the latest threats and how to counter them.
Assess your security posture
While fighting off social engineering attacks starts with employee training, there is no substitute for building an effective overall security strategy. That begins with understanding your current security posture so you can expose any vulnerabilities. A Cybersecurity 1:1 Review Workshop will help you gauge the effectiveness of your existing security measures, identify compliance requirements, and highlight your business’s unique risk factors.
It’s worth considering complete security assessment, including a web application vulnerability scan and firewall review, to reveal additional vulnerabilities like weak firewall rules and missing updates and patches. Most important, a Cybersecurity 1:1 Review Workshop’s result should include a detailed list of recommended, corrective actions that put you on a solid foundation for a more secure future.
Social engineering schemes will keep getting more insidious—and dangerous. Prepare your people and your organization through training, technology, and diligence so you can be confident in your defenses.
Thank you for trusting us to help with your cybersecurity needs. Contact us any time—we’re always happy to help.
Jon
