Social Engineering 2015 marked an important year in the world of network security. For the first time, social engineering attacks outnumbered attacks on software vulnerabilities and exploits. This is a serious problem. Since January 2015, the number of victims identified by the FBI has increased 270%, costing businesses more than $2.3 billion. The message to network security professionals is clear: Hackers are targeting the weakest link in any security perimeter … the end user.
What is Social Engineering?
For companies to stay productive, they need employees to be able to work from anywhere on any device, often collaborating with people around the world. This mobility drives not only the need for secure file sharing and email accounts but also a fundamental shift in our approach to computer security.
Social engineering happens when someone uses manipulation, influence or deception to get another person to release information or to perform some sort of action that benefits a hacker. Hackers will often take advantage of genuine security gaps in your network. But at organizations of any size, layers of sophisticated computer security can be undone in seconds because one employee—whether because of trust, lack of awareness, or carelessness—reveals company information to someone with malicious intent.
Your employees could be tricked into anything from allowing someone to tailgate them into your data center to give up their passwords or user IDs over the phone. Social engineers go to great lengths to gain access to data they can exploit, such as:
- Personal information, including passwords and account numbers.
- Company information, including phone lists and identity badges.
- Server information, including networks and non-public URLs.
Familiarizing yourself with social engineering techniques is your first line of defense.
What A Social Engineer Sounds Like
You might believe that social engineers would be easy to spot. But often enough, they sound like people you run into at work every day.
On the phone:
“This is Kevin from IT. We've been notified of a virus on your department’s machines.”
One of the most common scams—a hacker poses as an IT help desk worker to glean sensitive info, such as passwords from an unsuspecting employee.
At the reception desk:
“Hi, I’m the service tech from HP and I think Ellen is expecting me at 1 p.m.”
This is why it’s so important that well-meaning staff members and other insiders need to be educated as to how and why they could be targeted—and what to do if they suspect a potential threat.
At the building entrance:
“Oh! Wait, could you please hold the door? I left my key/access card in my car.”
People want to be helpful, and they often downplay the risks of engaging with someone they don’t know—and that can be a perilous mix.
Cyber Crime Cripples Business
Legendary programmer and developer of the first commercial antivirus program, John McAfee has said, “Social engineering has become about 75% of an average hacker's toolkit, and for the most successful hackers, it reaches 90% or more.”
Clearly, social engineering is a very real problem with very few real solutions. In addition to the obvious financial toll, a company’s reputation can take a major hit when a hack becomes public. Compromised personal data can erode the faith and goodwill of its customer base—and that too affects the bottom line.
Protect Your Information
- Password management – Outline rigorous standards for secure passwords and insist on regular expiration and change. Also, ensure careful onsite and remote access authorization
- Two-factor authentication – Use two-factor authentication rather than fixed passwords to authenticate high-risk network services like VPNs.
- Antivirus/anti-phishing defenses – Layers of the latest antivirus defenses at vulnerable locations like mail gateways and end-user desktops aren’t going to solve the problem, but they’re a good place to start.
- Information classification – confidential information must be clearly called out and handled properly.
“There are two types of companies: those that have been hacked, and those that do not know they've been hacked,” says John Chambers, CEO of Cisco.
Why is this the case? Because every organization is powered by people. And, no matter how strong your technical security is, your organization’s people are often the most vulnerable link in the chain.
Fortunately, with thorough, thoughtful, and regular education, they can also be your biggest asset in your fight against social engineering.
Ready to learn more? Assess your organization's security risk. Get started here.
Review our case studies and engagements where we helped companies just like yours solve a variety of business needs.
Since 1981, Oakwood has been helping companies of all sizes, across all industries, solve their business problems. We bring world-class consultants to architect, design and deploy technology solutions to move your company forward. Our proven approach guarantees better business outcomes. With flexible engagement options, your project is delivered on-time and on budget. 11,000 satisfied clients can’t be wrong.