There’s a Weakness in Your Organization’s Security – It’s YouBy: Doug Steelman
It’s football season. You’ve got your media room, your grill, and your beer-stocked fridge. Your fantasy team has been drafted, and you’re ready for Sunday’s game, eager to ridicule your friends as your team dominates this week’s match-up.
You get an email from your league on Friday. Your quarterback’s been injured and is out of the game. “Click here to sign a free agent QB.” You click the link. Only it wasn’t really from your Fantasy Football league. But it’s too late. Your system has been compromised by a cyber threat actor – a hacker.
Social engineering – manipulating people into giving up confidential information – is not a new concept – however, the tactics have changed, and the accessibility of data has made it easier for threat actors to create messages that seem legit.
Why It Works
Social engineering isn’t sophisticated. It doesn’t take a tremendous amount of technical knowledge to be successful. Virtually every person has some aspect of their life online. Despite its abundance, lack of awareness means there’s no lack of potential targets. When it comes to spearphishing, cyber criminals know how to manipulate – preying on human behavior and emotions, creating a sense of urgency, and personalizing targeted exploit can fool even the most prepared individuals.
Prevention Eventually Fails
You clicked the link. It happens. Even people who look at security all the time, myself included, are vulnerable. That isn’t an excuse to throw vigilance out of the window, but it does mean when it happens, you don’t need to beat yourself up. Acknowledge that your data is out there, it’s easy for bad guys to get, and it’s time to reexamine your security program.
All Hope Is Not Lost
I’ve said it before, but it bears repeating – vigilance is critical. It takes effort; however thinking the threat isn’t coming for you is a losing strategy. When it comes to safeguarding your organization against social engineering tactics, there are two parts to prevention:
- Take the human decision-making out of the process
- Digital certificates verify a sender’s identity, assuring you, the recipient, that they are who they claim to be.
- When you receive a text or email, stop and ask yourself “Is this information I’ve put online?” Don’t be afraid to call and confirm the communication you received is legit.
- Implement a strong security awareness training program
- Don’t just check off the compliance box – make it specific and real based on the tactics cyber threat actors are using (criminals, hacktivists, and nation-state actors).
- We test our employees with targeted spearphishing emails – not to embarrass anyone but to demonstrate how easy it is to find personal information and as a reminder that no one is immune from these schemes.
The bottom line is this – you can’t stop threat actors from trying to use your information against you. It could be an urgent email from your Fantasy Football league, a Facebook message from a friend, or a call from your bank – threat actors are creative and efficient. Why invest the time in finding a way to steal passwords and credentials when they can simply trick people into giving them away?
This increases the risk to businesses as personal and professional online activities blend more closely together. But you can implement security procedures that increase the awareness among your employees and reduce the opportunities for human error. You can (and should) develop a comprehensive incident response plan that prepares your organization for a breach. And you can survive social engineering attacks when your security program implements prevention methods but plans for if and when prevention isn’t enough.