Social engineering is still one of the top tools in a cybercriminal’s toolbox – How can we defend against it?
Security technologies, such as firewalls and antivirus software, provide a good foundation for your organization’s security. Yet in reality, it is people’s attitudes, awareness, and actions – coupled with a holistic cybersecurity culture – that will play a decisive role when your organization’s cybersecurity is put to the test. When people know how cybercriminals operate, they will be much more likely to exercise general caution, and thereby strengthen both their own and their organization’s information security.
European Cybersecurity Month is celebrating its tenth anniversary this October. The ECSM campaign actively seeks to make both companies and individuals more aware of cyber threats, and to help them operate in a safer way. Cybersecurity month is therefore an excellent time to remind people about the phenomenon of social engineering, as it often leads to security breaches.
Criminals exploit our human weaknesses
Only a few weeks ago, in late September, there was media coverage of how a teenager posing as an IT support person was able to break into Uber’s systems after stealing an employee’s password and two-factor authentication codes. This person then posted information about the security breach on the company’s internal forum, and also posted an adult entertainment image on the intranet.
How did they manage to do this? With social engineering.
As human beings, we are inherently prone to flattery, keen to help, and inclined to make hasty decisions when rushed – and criminals take advantage of these tendencies.
Scammers employ numerous remote methods, such as emails, text messages and phone calls, but they also manipulate us during encounters in the real world. For example, someone might try to sneak into a company’s premises without permission by following you through a door. A scammer may also pretend to be an official, that is, they may try to use a position of authority to their advantage.
Other methods of manipulation may include threats and blackmail. In the corporate world, there is a risk that important information, property or money may be lost. The scammer may also threaten to distribute sensitive material – yet it is important to remember that the blackmailer often does not have such material in their possession.
Social engineering provides criminals with a shortcut to an organization’s systems
Alone, even the world’s best security technologies are not enough to protect organizations from cybercriminals, as criminals have learned to target people instead, since their actions are much easier to influence. This phenomenon is called social engineering, and it aims to influence the victim and make them do things that are not in their best interest.
It is estimated that as many as 70–90 percent of security breaches involve social engineering, which makes it more of a security threat to companies than traditional malware. As a result of a scam, an employee may inadvertently disclose their username and password to criminals. This will enable the criminals to gain unauthorized access to the company’s systems, from which they can steal valuable trade secrets or other information – information which they may use to blackmail the company or sell to other criminals. This can have serious consequences for the company, such as considerable financial losses, the loss of customers, or even the loss of reputation and credibility.
Information security training as part of organizations’ daily operations
The more aware a company’s employees are, the stronger the company’s information security will be. So how can good information security practices be instilled in everyone’s minds?
The best approach is to increase awareness throughout an organization using a goal-oriented cybersecurity awareness program. However, this requires management’s willingness to commit to continuously developing the company’s information security culture.
Gamification makes learning fun
While cybercriminals are constantly adding new tools to their toolbox, cybersecurity awareness training and communications are required more than once a year. It is best to devise a program that will help everyone to consider their behavior and develop safe practices to protect both themselves and their organization.
And what’s the best way to learn? Although this is a serious issue, learning can be fun.
Content can be in the form of relatable stories and videos, including gamified versions – some good examples are phishing simulations and different kind of exercises and workshops.
Cybersecurity awareness is an important theme throughout the year, as people’s attitudes and actions have a significant impact on information security. At Nixu, we are happy to tell you more about the kind of program that could suit your company’s needs.
And in honor of European Cybersecurity Month, you can find a broad range of cybersecurity tips and other free content on Nixu’s website for both organizations and individuals.
Hanna Raitanen works with cybersecurity awareness programs at Nixu.