The term 'cyberattack' brings to mind talented hackers breaking through sophisticated cybersecurity measures in a business's routers and other equipment in order to access secret hidden data. However, a 'cyberattack' can be much more than that - or, if you think about it, much less than that.
Really, What Is Are Cyberattacks?
You might be familiar with the business risks involved with clicking on unfamiliar links, or visiting suspicious websites. You may even have heard of a distributed denial of service attack, malicious code like trojan horse virus installations, and much more. However, you might be surprised that one of the most sophisticated means of cyber attacks might begin with answering a phone call or an incoming chat message.
Social engineering attacks are attacks that attempt to compromise a company’s data by leveraging a trusted employee's access by way of deception. This can be something as simple as a phone call, where the caller pretends to be an important user who has unfortunately forgotten his password and needs to change it.
The Many Ways Your Business Can Suffer Cyberattacks
“There are so many different ways that this can happen,” says cybersecurity expert Marc Goodman, author of The Future Crimes. “You send an email to someone saying, ‘I’m the CEO and I forgot my password. Please send it to me,’ and it gets forwarded to someone else who gets hacked.”
Whether it's an email or a phone call, contact is contact. Sadly, the security aspect of the human contact is often overlooked. Organizations often do not do enough to train employees to recognize and avoid these scams. “People are so focused on the human side of security that they’re often attacked by humans,” Goodman says. “But the human element is really the weakest part of the security chain.”
Small Businesses Are At Risk
While it's impossible to say how many organizations haven't been affected by social engineering, infosecurity.co.uk notes that the number of actual incidents are rising rapidly. In fact, BBC news shows that social engineering attacks, including on small businesses, are on the rise by more than 70% in the last year.
As more and more sensitive data and intellectual property is accessed and stored in online cloud services, both small and large businesses are becoming increasingly vulnerable to social engineering attacks. “The amount of data that can be gathered online is growing exponentially, and unfortunately, so too are the ways in which that data can be attacked,” Goodman says. “What we see is the human side of the data security equation being ignored.” Small businesses can't ignore the danger anymore.
Social Engineering Are Cyber Threats
In reality, all organizations are vulnerable to social engineering, but some businesses are more vulnerable than other businesses. While traditional cyber attacks might be more or less successful depending on the level of technical protection installed on the computer systems, social engineering attacks are especially effective against organizations that have a decentralized structure, such as a loosely governed small business or sole proprietorship. The more reliably that a cyber criminal can exploit a lack of organization in your structure, the more vulnerable your small business is to cyber attack methods such as social engineering.
The Experts Weigh In
Bruce Schneier, author of Secrets and Lies: Digital Security In A Networked World, expanded on the thought with the following quote: “people often represent the weakest link in the security chain and are chronically responsible for the failure of security systems.” That's a harsh, but fair, assessment. After all, not only are people the most variable and inconstant component of every company's security infrastructure, but also are the ones that infrastructure is built to serve - and serve conveniently, at that. There's no point in having a security system that keeps everybody out.
Fortunately, there are ways to mitigate the risk of social engineering attacks, as well as help prevent another company from doing harm to your business. The following five tactics can help prevent social engineering attacks.
1. (RE)INFORCE SECURITY RULES
The most important step in protecting against social engineering attacks is to have a clear policy in place about how to deal with requests for access. The policy should specifically define what social engineering attacks actually are, as well as how you are prepared to respond in the event that an attack takes place.
Your employees will be able to respond to cyberattacks of all kinds more effectively when they have a proper procedure in place. Without a policy, they may tell a supervisor or a colleague about a suspicious email, but your team won't be able to respond in an organized fashion. Give them a road map for success by implementing a policy to follow in the event that something occurrs.
If You Don't Have Rules Already, It's Time To Make Them
The policy should be well-defined and specific. For example, telling an employee not to give out any type of information is not sufficient, as there must be a policy that defines exactly what information isn't allowed to be given out.
Your security policy also should be clear about how employees can report suspicious activities. It should be in writing, so that the employees understand that if a fraudulent call comes in, they can check against the policy to help them identify it, and record a report. Make sure that you have a procedure in place for what to do with that report, as well.
2. TRAIN EMPLOYEES
The best way to build a policy that your employees can follow is to first teach them what a social engineering attack is. The more they know, the better they will be able to recognize and avoid these attacks. Your training program should define the different types of social engineering attacks, as well as how they are used against your company.
As mentioned previously, your policy should specifically define what social engineering attacks are. However, your employees still need to be able to recognize these attacks when they occur.
Training Sessions Are Critical
The best way to prevent these attacks is to educate your employees about social engineering tactics. In addition to outlining your company policy in your employee handbook and other documents, you should offer regular training sessions to your employees on security threats, including social engineering attacks. This will help them recognize a phishing email when they see one, as well as understand the importance of following security laws.
The training program should include information on how to recognize the signs of a social engineering attack. The more your team knows, the easier it will be to recognize the numerous ways social engineers at work. For example, many of these attacks rely on a sense of urgency, so it is important for employees to recognize such cases in action.
3. USE A 2-STEP VERIFICATION PROCESS FOR COMPANY ACCOUNTS
One of the most common targets for a social engineering attack are passwords that protect accounts and services. Fortunately, most websites, from social media accounts to bank and email accounts, can be protected via multifactor authentication and other methods.
Multifactor authentication uses a password and a randomly generated code to log in to company accounts. The code (usually a series of digits) is provided by a software application installed on a known external device, such as the user's mobile phone. Many devices, including many mobile devices, can be used in this manner, such as tablets and mobile phones. Without the specific device, the user cannot log in to the website or account even if they remember the password correctly. This adds a considerable layer of security to the website account.
It's Not A Magic Bullet, But It's Good Advice To Follow
Implementing a simple 2-step verification process for your company's accounts won't prevent social engineering attacks all by itself, but it will make it harder for hackers to access company data by making those passwords effectively useless without also having access to the external device. It will also help you catch suspicious activity on your company's email accounts by flagging failed attempts to log in.
4. LIMIT ACCESS TO YOUR COMPANY EMAIL
It may seem obvious, but a company email account should be used for company email only. “Don’t respond to people’s emails about their personal problems,” Goodman warns. And don't respond to unwanted email marketing or other annoying spam on company email or time. Besides being time consuming to manage, you should remember that huge amounts of unsafe email traffic comes via these methods.
If an employee receives an email from an unknown source asking for an employee's password or other personal details, they should not respond, even if it appears to be from a company executive. Instead, the employee should contact a manager or other designated party about the email, and report the incident as a potential security threat. Small businesses can't afford to alienate potential customers by ignoring their requests for information, but neither can they risk service disruptions or malicious software being installed. It's important to manage these issues.
Ensuring your employees keep your company's email free from all non-business related topics will prevent your employees from responding to personal-sounding topics which may eventually turn into requests for information.
5. GOOD FILE MANAGEMENT IS KEY
Social engineering attacks often include an email or phone call containing an attachment of some sort. “If you see an email from someone you know and there’s a file or attachment, you should always assume it’s malicious,” Goodman says. That's true even if you're pretty sure it's not - better safe than sorry.
If an email contains an unexpected attachment, your first step should be to contact the sender via phone or other means and confirm that they actually sent the email, according to Hutchins. “If it is malicious, you want to find that out as soon as possible so you can stop it,” he adds.
Keep It Off The Cloud If It's Extremely Sensitive
When it comes to storing files online, it’s important to remember that cloud storage is not 100% secure. In fact, the opposite is often true. “You want to do everything you can to ensure that your company’s sensitive data is NOT stored in the cloud,” Goodman advises. Besides the security risks, there may be legal concerns and similar important factors to consider.
The first layer of protection is to ban all cloud storage for sensitive or confidential documents. The second step is to make sure that no sensitive company data is being stored on any employee’s personal devices or USB drives, and ban users from doing so themselves. Remote work should be performed under secure connections, and particularly sensitive data should remain at the office if possible.
SOCIAL ENGINEERING EXAMPLES
Here are 4 examples of social engineering methods used to gain access to sensitive data, such as business data, a company bank account, and other systems:
1. EMPLOYEES STEALING COMPANY DATA
Social engineering attacks on small businesses can take many forms, including the theft of corporate assets. This is unfortunately common, as a disgruntled employee is often a prime candidate for either committing, or being subject to, a social engineering attack. If the employee is the target of the attack, they may be unmotivated to properly safeguard corporate assets, and cooperate with an attacker despite obvious red flags. After all, if they don't care about their job anymore, and it's not their money, why would they care?
Of course, if an employee is making a deliberate attempt to attack, they are far more likely to be successful, as they are still a trusted member of the team at the moment. In fact, these attacks can be among the most dangerous types of attack to small businesses, since they will often know exactly where important information is kept.
Theft Is A Problem, For Data Too
This means that data theft is a concern for small businesses, and it should be for your small business for sure. Critical data on new clients, new customers, or even a new business idea are all potential windows for attack. Other small businesses, particularly local businesses in your area, might be interested to know your bargaining power, participation in local events, or a good business idea or a business plan. Is your company selling products toward a specific niche? Are there exciting new small projects going on? Is your company hobbled by a market stall? A disgruntled employee can open doors for your competition to find out.
In either case, a small business should take preventative measures to stop these attacks. Maintaining a good relationship with your employees is critical to ensuring that they do their best to keep corporate assets and information secure. After all, it only takes one business idea to build a business, but a business idea shared to your competition might take you out of the running.
Good relationships and trust are the building blocks of a successful workplace, but a disgruntled employee can destroy it as easily as a happy employee can build it. Make a business plan to manage these feelings in your team. Young people in your team will particularly appreciate it, as they'll often lack the context and maturity that your more experienced employees will have to navigate those waters. It's often a low cost, yet important thing to manage as your business grows. Later on, you'll thank yourself for it.
2. 'HELPFUL CONTRACTORS'
The “helpful” contractor is a common social engineering tactic often used by hackers, particularly by larger companies who may employ large numbers of contractors who may not be immediately known to all employees. However, small businesses are vulnerable to this type of attack as well. This type of social engineering attack typically involves a hacker who presents himself as a contractor who is in need of some kind of information to perform the necessary work for the company.
Some of the tactics used in this attack include yet another phone call, where the hacker presents himself as a legitimate company representative, or another fake email which appears to be from a superior. Tactics like these can convince an employee to provide the hacker with information that they wouldn't normally have access to.
3. THE ANONYMOUS EMAIL
Anonymous solicitation emails are one of the most common forms of social engineering attacks in general. Many businesses, if not all, have received an email from someone who claims to be someone that they aren't. When a company receives one of these emails, it's important for the company to know there are a few ways to verify the identity of the individual sending the email. After all, you don't want to alienate potential clients sending legitimate emails, but you also don't want to install dangerous software on accident.
First, it's important to look at the email carefully. Does it include the real email address of the individual who is sending it? You can determine this by hovering your mouse over the sender's name. Don't be fooled by the friendly name listed on the email, which might be some entity that you recognize, such as Amazon or the name of your bank. Hovering your mouse over the name will reveal the actual email address, which will often be from a free email website such as Gmail. This is a sure sign that the email is fraudulent.
Watch For Other Warning Signs
It's also a good thing to look for spelling and grammatical errors in the email, or bad graphic design, which is another common telltale sign of a spam email. Scams are often perpetrated by individuals operating in a foreign language they are not very familiar with. But glaring typographical errors would not be tolerated by multinational companies with communications departments, who spend long hours and massive amounts of money to ensure their branding is correct. A lack of spelling and grammatical errors aren't a guarantee that the email is safe, but the presence of such errors is a big red flag that it is.
4. THE SUSPICIOUS PHONE CALL
Another means of social engineering is a phone call or email that asks for log-in credentials for a business service account. This is a popular type of attack, as it’s a relatively easy way for a hacker to gain access to the company's data. After all, it doesn't require any computer skills to deceive someone.
In the case of a phone call, a hacker may claim that a technical issue is preventing the person from accessing his or her account and the hacker may need the user's help to solve the problem. This tactic is often accompanied by a sense of urgency. In the case of an email, the hacker may make the excuse he or she needs the information to respond to an email that was sent by the company.
You should be as wary of an email or telephone call that seems “too good to be true,” as one that is “too important to be ignored.” In both cases, you should verify the identity of the source before giving out any company information or personal details.
The Unfortunate Reality
Even the best security system in the world can be defeated with enough human ingenuity - or in this case, the lack thereof. Many small businesses can be particularly vulnerable to these kinds of attacks, as they often rely on ad hoc relationships and more casual methods. Secure your small business by ensuring that your employees are equipped to recognize, and defeat, incoming social engineering attacks.
Continue your exploration of Endpoint Detection and Response (EDR) and its benefits for cybersecurity. Learn how EDR enhances threat detection and response capabilities. Click here!
Contemplating Endpoint Detection and Response (EDR) solutions for your business? Discover if EDR is the right cybersecurity approach to protect your organization. Click here!