It’s easy to assume your company will be safe with security systems in place but this view just won’t cut it against the latest breed of hackers.
Hackers aren’t trying to break down your Infrastructure at all. In fact, they’ve got a far simpler and more effective method, one they’re using to dismantle thousands of companies across the world every month.
The Element of Human Error
Ultimately, no matter how secure your network, there will always be one employee who, through a combination of bad luck and poor security awareness, lets through an attack.
This element of human error is what hackers capitalize on in what’s become known as “social engineering”. The term means a hacker doesn’t even need to break into a system as most of the time an employee will unwillingly invite them right in!
The rise of social media has fed right into the effectiveness of social engineering. The billions of interactions we make every day on Facebook, LinkedIn and other platforms have made it normal to us, and even brought us entertainment when we receive weird requests from strangers. Yet, this nonchalant attitude has become a danger to the workplace.
It’s an unfortunate reality of our social media-driven existence that an employee is now more likely to not only open a suspicious email or take an odd call but carry out its request. This is exactly why social engineering has become so effective.
So, what is Social Engineering?
Simply put, it’s a hacker combining their technical skills with the coercion needed to break a member of your workforce and gain entry to your systems.
It can be simple and done without notice or it can be forceful and frightening. It can be a single act, or it can be one step in a complex scheme that only becomes apparent months later.
However it happens, social engineering capitalizes when concentration lapses. It picks on an absent-minded executive or on an eager-to-please new assistant, with devastating results.
There are a number of ways hackers use social engineering – let’s cover each variant before we consider their prevention. Often, your employees won’t even know what’s happened, so let’s make sure you do!
Phishing happens when a hacker emails you while disguised as a company or colleague and tricks you into sharing personal information. 90% of the 293 billion emails sent around the world each day are viruses. It’s really just a matter of time until you are affected.
The modern phishing email looks exactly like the real deal and can be very difficult to spot. This could be a general email sent to your whole team. And it could also be a more specific email (known as Spear Phishing), that targets a vulnerable newbie or specific executive.
It’s by no means a new technique, yet social media’s ever-growing range of formats makes it easier than ever to catch you out with requests to update your password or to tag yourself in photos.
Hackers are not always introverted nerds. They can also be slick telephone con artists. By calling up a member of your team and pretending to be a fellow employee or related company, a hacker can obtain information that enables them to access your network or more specific data.
Some will call as many members of your company as possible to offer IT maintenance in the hopes one of them authorizes their entry. Others will pretend to be the boss and demand an urgent bank transfer is made.
Hackers can also observe what websites are visited by your company. Once they are sure of a favorite, infect that website with malware. Anyone who visits the affected website will be infected by the virus. This will then continue to cripple your network from the inside.
Without a doubt the most dreaded outcome of social engineering, Ransomware is harmful software installed on your network that the hacker will only remove once you’ve paid them a “ransom.”
Once you fork over their demands, be it money or data, there’s no guarantee they will release you. They will then have even more of your information that allows them to even more access. It’s a brutal reality experienced by many companies. The best prevention is awareness!
It could be anything from a routine maintenance email from your recognized provider to a downloadable voucher for a restaurant. As soon as you authorize a download, the ransomware begins its installation. And from there, it only spreads.
More like the “brute force” attacks of old, these work by a group of computers simply overloading your network with traffic so that you temporarily lose access.
When you regain access, your network may have been visibly pillaged. On the other hand, everything may look the same. In fact, your info has been copied for later use.
If you really want to feel like you’re in a Hollywood film, then consider this last approach, which features real-life intrusion of your systems. Tailgating commonly involves a hacker impersonating a deliveryman or other sort of workman, who then enters your building and conducts his hack from inside.
While easily prevented in larger companies, SMB’s without strict entry card processes can fall victim to this surprisingly easily.
The Future of Social Engineering
Social engineering has a worryingly bright future because of ever-growing reliance on social media and the constant threat of human error.
The increasing relevance of social media in banking, health-related and other personal services make our accounts more valuable targets than ever. The takeover of these accounts will only become more and more profitable.
These are now becoming tools of vital function as well as communication. In combination with the Internet of Things, they are sure to cause chaos.
What can you lose?
Well, everything really. You could lose personal information in cases of identity theft, as well as personal credit card details in financial heists, affecting anyone from just yourself to the entire workforce and their families.
You could also lose vital company information, product designs, operations processes and any other internal plans shared across your network. This may threaten your reputation and market advantage.
What can you do?
There is a lot you can do to combat your company’s resistance to social engineering. However, as you guessed, these efforts are only as good as your least vigilant employee.
It doesn’t seem like a real threat until it happens, and then you will regret not having done something sooner. Here’s a couple of tips to hold off hackers and strengthen your workforce at the same time.
Change passwords often – This needs to require both frequent changing and complex construction, say every three months.
Encrypt – So many SMB’s neglect to encrypt their sensitive information, even when sending it outside of their network. It is a vital part of effective company security.
Antisocial media – Lock down all social media privacy settings if used at work do the same with your browsers.
Patch like mad – It is the constant updates on all software that leaves windows for ransomware and other evils to get into your network. Update your systems rigorously and you will minimize this likelihood.
Unknown? Delete! – We’ve all opened an unknown link or file while in a rush. Enforce a zero-tolerance policy on this poor practice and breaches will be far less likely.
Approval needed – Enable your network so that only company-approved devices can initiate access. This will not only protect your sensitive info but ensure existing viruses on company devices do not spread further.
A Little Common Sense – At the end of the day, this is what it really takes to prevent a majority of social engineering attacks. Don’t recognize the sender? Already sent those details? Saw the CFO just an hour ago? Trust your gut and check before you act!