Beware of Social Engineering in Business
Beware of Social Engineering!
In the context of business cyber security, social engineering is the manipulation of people (mainly employees) to undertake actions or give out information that will cause harm to their organisation.
The social engineering of employees often involves the manipulation of people’s vulnerabilities within an organisation. To illustrate, imagine the new Administrator receiving an email from their MD asking them to immediately pay for a Christmas Party booking. Will they wait and give it some thought, or will they respond as soon as they possibly can. Chances are the employee will do as requested within a short time frame in order to keep their MD happy and prove how reliable they are. Now imagine that the email didn’t really come from their MD, but instead from a fraudster. This example demonstrates how business hierarchy is used to carry out cyber attacks.
Sometimes it’s a numbers game.
The Attacker may send A LOT of emails and chances are they’ll catch someone who is vulnerable to attack; the new employee / the employee who is already in the doghouse and trying to prove themselves / the mega busy employee / the employee who is distracted by an external situation… the list goes on.
Sometimes it’s more targeted.
Research will have gone into the members of an organisation; who reports to who? You’ll know yourself how much information you can quickly gain simply by looking on LinkedIn – hackers will explore many avenues to glean information, and not just legitimate routes. The term ‘Engineering’ implies complexity – because the process can be complex!
Social Engineering takes many shapes…
A socially engineered attack could take place via email, in a letter, over the phone, and could even be a device that’s planted for the victim to find (think of a USB stick that looks familiar…)
How to avoid being a victim
Firstly, stop and think!
Speed is of the essence, or in this case, lack of. It’s better to do nothing in the first instance. Slow down. Check that what you’ve received / have been told is legitimate. Using the example above, the Administrator could call the MD’s PA to check that the Christmas party does need to be paid for and if so, to whom. They’ll quickly ascertain whether the request is real.
Training of new staff, and the ongoing training of all team members, is vital.
Let your team know that you’d rather they stop and think than react too fast. And make sure that you’re up to date and giving them the latest information.
Keep your systems up to date
Ensure you have all the latest IT Security provision in place.
Hackers come from every angle, so Cyber Security needs to be everywhere. The complexity of a socially engineered attack needs to be mirrored by equally (if not more) complex security.
At Net Primates we can guide you through what’s needed to avoid a socially engineered cyber attack. We’re constantly monitoring security threats, and evolving our security provision to help keep you safe. We’ll also advise on ways in which you can help keep your staff up to date and trained.