Can Training Save Your Business from the Next Cyber Attack?
Social engineering risks are keeping business leaders up at night! In the Business Continuity Institute 2018 Horizon Scan Report, four of the top 10 threats identified by business leaders are most often the result of a social engineering exploit. In a recent KnowBe4 report, over 91% of successful security breaches started with social engineering. Most leaders identify their top risks as cyber attacks, data breaches, unplanned IT outages, and security incidents, but at the end of the day, the number one cause of these risks is social engineering exploits of their staff.
"Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional 'con' in that it is often one of many steps in a more complex fraud scheme."
What should concern most business leaders is that social engineering exploits cannot be stopped by technology alone. This means that the continuity of every business relies heavily on the capability, knowledge, and skills of the employees and contractors of the organization. This includes everyone from custodial staff to the board of directors, as they all are given some level of trust by the organization.
Consider An Example
A simple, non-technical, social engineering example comes from one of my co-workers who was tasked with making early morning changes as part of a critical maintenance window at an enterprise client. When he arrived on site, he discovered that he had grabbed the wrong security badge -- the ones that all look the same, white on one site, logo on the other.
The timeline of the maintenance window was critical, and he was authorized to make the change. He happened to see the cleaning staff entering via the employee entrance. After a quick offer to help carry in some cleaning equipment, while positioning himself further away from the door, and flashing the white side of the incorrect badge, the cleaning staff swiped him into the building.
Within seconds of entry, he saw the night security guard on his regular rounds, heading in the right direction. A quick jog to catch up, some small talk about publicly available information about the business with the guard (a lonely job with little human interaction), an offer of a cup of coffee, while again positioning himself farther away from the door and displaying the white side of the card to the guard, and he was swiped through into the secure area. Now luck kicked in, as the third security door into the server room was propped open with a fan to help keep an overloaded server room cool. Three levels of physical security passed through in under a few minutes allowed the maintenance window to be completed on time.
All of this might seem like the employees and contractors were not doing their jobs correctly, but in reality, they were human beings, making human mistakes. That is the simplicity of social engineering: Hackers take advantage of our training by society and our parents.
We are not all trained the same, but there are some base assumptions that hackers can make around most humans being helpful, courteous, and in some cases greedy. Historically, hackers have exploited these opportunities in person, similarly to the example above but with a malicious intent. Today, they have many other mediums to exploit employees. They can use email, websites, social media, and phone calls to attempt social engineering exploits on a much larger scale. Almost half of cyber attacks hit small business, which means they are not necessarily targeted attacks.
A common social engineering method is phishing attacks. Most successful cyberattacks are the result of a phishing scam. This means that human error, not technology, is your primary risk factor. Even very well educated and trained security and IT professionals are vulnerable.
I recently received an email that looked completely legitimate at first glance. The email was thanking me for completing a survey, after attending a webinar, and offering an Amazon gift card in appreciation. Initial reaction: Awesome, I can find a way to spend that! Thankfully, my security radar was up, and I read the email more carefully. It was almost perfect except for a spelling mistake in the terms and conditions ("orders" was missing the "r") and in the link to accept the gift card (flipped two letters in Amazon, which was hidden by a graphic being used as the link). Email deleted, risk averted. My training worked, this time.
This email, however, was good enough to slip by some of the top threat detection and security tools. Technology can help, but it is not the complete answer. If I had clicked on the link, they may have gained command and control access to my computer and then leverage that access to other systems for which I had privileges. They could have gained access to data or embedded ransomware in key systems.
For when we do make mistakes, we have several secondary security measures in place:
- We enforce two factor authentication (2FA) to access sensitive information.
- We use separate accounts for systems administration.
- Our firewall configuration does not allow traffic out to known command and control servers.
- We have breach detection and security operational processes in place.
- We have procedures for business transaction and human resource approvals to prevent fraud.
- All our systems are updated religiously, including operating systems and applications.
- All laptops, computers, and servers have next-gen endpoint protection.
But most importantly, we use security awareness training that uses a range of social engineering tests to make sure we know what the potential attacks look like and we know what to watch for – it's changing every day. It saved the day in my phishing example, and it's been proven that security awareness training can reduce the risk of a breach by as much as 70%.
Business leaders try to cost effectively mitigate the significant risks to business using a variety of tools. Security awareness training is a cost-effective tool that needs to be part of your security risk mitigation strategy. This should be used in conjunction with technology to further mitigate the risks.
Will constant security attacks significantly compromise your organization or will your people, operations, and technology be ready?
"SCTC Perspectives" is written by members of the Society of Communications Technology Consultants, an international organization of independent information and communications technology professionals serving clients in all business sectors and government worldwide.