It’s no secret that people are often the weakest link in the cybersecurity chain. Human error is frequently the culprit in data breaches and other security incidents, whether it’s someone clicking on a phishing email, accidentally leaving data exposed on cloud applications or infrastructure, or unwittingly losing a device with sensitive information on it. Apart from carelessness or negligence that can account for mistakes like these, another threat that’s often overlooked is social engineering, in which skilled and opportunistic threat actors exploit human nature for their gain, particularly in advanced cybersecurity attacks. If threat actors are determined to find a weak spot in your organization, your staff is often where they’ll start.
With a remote workforce now the norm for many organizations as a result of the ongoing COVID-19 pandemic, social engineering attacks like business email compromise (BEC) are ramping up as threat actors seek to take advantage of employees who might be distracted or paying less attention to security than they would in a physical office environment.
In this blog, we’ll take a look at the reasons why these attacks are successful and offer some tips on how you can avoid becoming a victim.
Reason #1: People Care, Machines Don’t
If you’re emailing a critical report and the file is over the size limit for your mail server, your email isn’t going to go through. After all, the mail server could care less if your job depends on it being delivered. But people are more forgiving. They don’t want someone to get fired because they couldn’t email a report in time so they usually try to help out.
However, that willingness to help can turn into an opportunity for a social engineer to strike. A targeted spear phishing email impersonating a colleague might say, for example, “I’m doing a presentation for my boss in 10 minutes. Can you review the attached document to be sure this looks good?”
In this instance, you’d probably think you’re simply helping a co-worker instead of enabling a potential attacker — especially if everyone’s working remotely and you can’t just walk over to their desk to review it with them as you might have in the past.
Reason #2: Workers Reveal Personal or Confidential Information on Social Media
While social media and professional networking websites are excellent information and communication tools that make our lives easier, they’re also sources of a lot of intel for social engineers. As Jai Vijayan from Dark Reading puts it, social media sites are “a huge blind spot in enterprise defenses.”
A recent survey on cybersecurity training programs found that an average of 15 percent of end users incorrectly answered questions related to using social media safely in the workplace. Oversharing corporate information on social media — or personal details that could be effectively used in a social engineering attack — remain cybersecurity risk factors. Cybercriminals also take advantage of social media to share malicious links or send emails that appear to be legitimate communications from them to trick users into clicking on links.
Reason #3: Employees May Have a ‘Not My Problem Attitude’
Just as much as workers’ caring and helpful nature can be used against them, so too can their lack of care. Lack of care isn’t always the same as being completely negligent. There are plenty of examples of workers who know something isn’t right or more cautious actions need to be taken but they are too preoccupied to follow through or don’t think it’s their problem to solve.
Here’s a conversation that happens all too often:
Employee 1: “I’ve never seen this person in our office before, and they don’t appear to have an employee badge or visitor’s pass.”
Employee 2: “Must be a new hire or a guest of an executive. Oh well, I’m sure someone knows why she’s here.”
It’s convenient to depend on someone else to have the answer; it’s inconvenient to take an extra step out of a busy workday to find the answer. Social engineers depend on that attitude to slip through your organizational defenses, whether they’re literal or virtual.
Reason #4: People Mean Well, but Are Forgetful and Habit-Prone
The reality is that no matter how much cybersecurity training and education employees get, there’s a tendency to fall back on basic human and workplace instincts. Breaking old habits is always tough.
For example, when checking an email that appears to come from someone you know or a trusted source, it’s a natural habit now to click links or open attachments, especially if you’re in a rush. Social engineers are counting on those habits and impatience as well. There’s so much going on in any given workday that lapses in judgment happen easily and can dupe even the savviest staff.
What You Can Do
So how can you help prevent this type of behavior? Can you at least curb it enough to prevent social engineers from being successful?
With the right tools, you can prepare your workforce to be more aware of social engineering attacks and respond appropriately. Here are several important fundamentals to practice:
- Stay Aware and Educated: If your staff isn’t aware of the different threats that exist, they have little hope of detecting or defeating social engineering. Provide regular updates on new threats and tactics and what may signal a social engineering attempt.
- Verify Suspicious Activity: If something doesn’t seem right, verify it. Check badges, access requests, phone numbers, websites and email addresses. Look people up on LinkedIn or their company’s website to see if they work where they say they do. People need to have confidence when challenging suspicious activity, whatever that may be. It’s critical that employees know that leadership will have their back, even if it causes an inconvenience or delay.
- Analyze Before Hitting Send: Before sharing any information, consider the ramifications of that data being made public or how it might be used against you in a social engineering attack, and encourage your employees to do the same. Who could use it? Would it be embarrassing? How could it hurt your company or your customers? How might someone use that information to pretend they’re a trusted
- Always Err on the Side of Caution: Sensitive company data is subject to release the same way classified information is. If in doubt, consider it sensitive and internal only. Pick up the phone to call your colleague before sending them your company’s W2 information, for example, to make sure it’s a legitimate request, instead of just emailing it without question. It’s better to err on the side of caution than risk making something available to malicious actors. This applies to information and requests coming from within and outside your organization.
Following these defense techniques will deter adversaries and make their job significantly harder while making you and your organization significantly safer. For example, you could start with a mandatory cybersecurity awareness training course that all of your staff must go through annually. This is a cost-effective way to reduce cybersecurity risk and educate your workforce. You could also conduct a risk assessment to see where your weak spots are in terms of people, process and technology, and remediate any gaps accordingly. By putting some basic cybersecurity practices into place, you can avoid social engineering attacks.