1 Challenge
- “Some companies in my industry were recently hit by costly social engineering cyber attacks. I’m worried that my company is vulnerable too.”
2 Questions
- “What is a social engineering attack?”
- “How can I protect my firm from such attacks?”
3 Ideas
- Implement Multifactor Authentication (MFA)
- Install Up-to-date Antivirus and Antimalware Software
- Train Users on the Risks of Social Engineering
“Social engineering” sounds like a cool concept. Does it have anything to do with applying out-of-the-box engineering techniques to create positive results for companies?
No, it doesn’t, and no, it’s not a “cool” concept.
If anything, social engineering can be extremely harmful for your organisation.
You may already be familiar with cyber threats and cyber attacks. Every year, thousands of organisations all over the world are hit by attacks in which bad actors, cybercriminals, cyber terrorists and even rogue nations gain access to enterprise IT networks, compromise systems, disrupt operations, steal sensitive data, and even engage in digital extortion.
2020 and 2021 were especially bad years for companies, cybersecurity-wise. In 2020, 75% of companies experienced a data breach where they lost sensitive information. After COVID-19 hit, 20% of firms in one study said they had suffered a security breach due to a remote worker. And in 2021, the cost of cybercrime has gone up to $6 trillion.
So if your company has not suffered a cyber attack yet, consider yourself both lucky and forewarned, because sooner or later, you will experience an attack or breach.
One such attack type that you should prepare for are social engineering attacks.
What is a social engineering attack?
How serious is it?
And how can you protect your business?
Keep reading to know more.
What is Social Engineering?
Social engineering is a technique that bad actors use to manipulate people for malicious purposes. A social engineer uses psychological and behavioural tricks, such as flattery, fear, panic to trick users to:
- Make security mistakes or bypassing security controls
- Give away sensitive information such as user IDs and passwords
- Divulge confidential, personal or protected information that belongs to them, or to the company
In short, a social engineering attack fools a victim into doing something they wouldn’t normally do.
Usually, the attacker first gathers background information about the intended victim. Then they try to gain the victim’s trust, and get them to lower their guard. After they accomplish this, they get the victim to divulge sensitive or confidential information. Finally, the attacker or scammer uses this information to go after their final target, i.e. YOUR COMPANY.
Once they gain access to your company’s network, they can steal your data, spy on you, install malicious software on your systems, and even lock your systems and demand a king’s ransom to unlock them.
Are Social Engineering Attacks Dangerous?
In one word: YES!
Social engineering is especially dangerous since it relies on human weaknesses and errors rather than on technical vulnerabilities in your IT systems, such as software, endpoints, operating systems, etc. A scammer uses deception to appeal to a victim’s heart or mind, and uses their tendency to feel fear, sympathy or panic against them. To succeed, all they need is an ability to understand people and gain their trust. No technical skills are required to take advantage of people.
Humans and human behaviours are unpredictable, so it’s very difficult to completely avoid or thwart social engineering attacks. It’s also harder to identify a social engineering attack, compared to say, a malware-based intrusion.
Yet another problem is that social engineering comes in many different avatars. For instance, a scammer may use “pretexting” and pretend to need a victim’s personal or financial information to confirm their identity. Or the attacker may infect a website to compromise frequent visitors with a “waterholing attack”. They may also promise the victim something in return for information or help (“quid pro quo”), make a false promise (“baiting”) to pique their greed or curiosity, or bombard them with fictitious threats via “scareware” malicious software.
One of the most common social engineering attacks is “phishing”. In this technique, attackers send fake emails that look like they originate from a legitimate company, such as a bank or government agency. The email then urges the victim to click on links to malicious websites, input sensitive information (e.g. bank login passwords) into these websites, or open attachments that contain malware and can infect their systems when downloaded.
In 2020:
- Phishing scams were involved in 36% of data breaches
- 57% of companies experienced such scams compared to 55% in 2019
- There were almost 15X more phishing complaints in 2020 compared to 2016
- After a phishing attack, 60% of firms lost data and 47% were infected with ransomware
Are you convinced yet that social engineering attacks are extremely dangerous for your company?
If yes, keep reading to learn how you can protect your business from such attacks.
3 Ways to Protect Your Business from Social Engineering Attacks
1. Implement Multifactor Authentication (MFA)
MFA is a reliable way to address the security weaknesses of password only-based systems. In almost every social engineering attack, scammers are looking to fool people into revealing their credentials (user names and passwords). They then use these credentials to mimic the genuine users, in order to gain access to – and compromise – enterprise systems and databases.
With MFA, users will be required to authenticate themselves with more than just passwords. MFA systems that ask for OTPs and biometrics to complete the authentication process are now becoming increasingly common – and with good reason. Even if an attacker manages to get their hands on a user’s credentials, they still cannot enter a system, because they don’t have the second or third factor required to complete the authentication.
Thus, even if a user is compromised, MFA prevents system compromise.
2. Install Up-to-date Antivirus and Antimalware Software
A strong antivirus and antimalware software can protect your company from social engineering attacks. However, such attack types are constantly evolving, so it’s important to keep these protective controls updated at all times. Make sure both the antivirus and antimalware update automatically. Download the latest signatures first thing every single day. Also periodically confirm that all updates have been applied. And last but not least, run regular scans to look for and clean up possible infections.
Some other protective controls you should implement are:
- Implement spam filters and set them to “high”
- Secure the enterprise network with a reliable firewall
- Consider using VPN, especially if your team is working remotely
- Implement a password policy across the company
- Review all processes and procedures for important transactions, especially transactions that involve money or sensitive information
3. Train Users on the Risks of Social Engineering
As mentioned earlier, social engineering attacks are so dangerous – and successful – because they take advantage of human complacency, behaviors, feelings, and tendencies. That’s why it’s critical to involve people in the fight against this threat.
Train your employees on how to recognise and resist such attacks. If someone asks them for some information, tell them to first verify that the person is who they say they are. They should also confirm that the requestor is authorised to ask and receive such information.
The training and awareness programme should also teach users that they:
| Should | Should not |
| Scrutinise all email requests until they can confirm the sender’s identity | Reveal facts about the company to strangers, especially on social media |
| Delete all requests for personal information or passwords | Accept any requests for help or offers of help without doing proper research about the sender |
| Follow up on suspicious requests for information by contacting the purported sender via telephone | Click on links within emails or open attachments, especially if the email is from an unrecognised sender |
| Be wary of all tempting offers that promise a big reward in return for clicking on a link or providing sensitive information | Reuse, write down or share passwords |
Make sure the training is regular, and updated with real-world examples, case studies and assessments. Also test users on their ability to resist social engineering attacks. Implement strong governance controls to strictly enforce security policies. If necessary, add an element of punishment or fines to deter lazy or ignorant employees from putting the company at risk.
Conclusion
According to one cybersecurity company, 98% of cyber attacks rely on social engineering. Adversaries attack all kinds of companies with such attacks, so no company is safe. Protect your organization from the threat of social engineering by implementing the 3 strategies explained in this article.
