Interest in digital security grew exponentially in 2020. From social media to voting to corporate software, speculation and potential breaches have been on the rise. Work from home has created a unique set of problems as well. As more corporations continue to push back the date of when employees can return to their offices, if they want to at all, company-owned computers and software are being used on unprotected internet access. Or worse, employees are using personal computers to get the job done.
Most companies use VPNs to allow employees access to company resources and information from remote locations. If an employee's home network or device is compromised and it has access to the company's data via VPN, the entire company network is compromised. Additionally, all it takes is one wrong click from an employee working in a coffee shop for their computer to be publicly discoverable.
Social media is the second most valuable source of information used in social engineering attacks, behind readily available PII. Employees might not understand the insights that can be gained from their seemingly innocent posts.
So what exactly is social engineering and how is it a risk?
Social engineering is a type of attack where the attacker attempts to create enough trust between themself and the victim to get the victim to do something, such as click a link, download a file or enter information.
It’s the type of scam we hope the elderly don’t fall for and end up emptying out their life savings. It's the kind of attack that looks friendly, not like something you should be weary about at all. But social engineering attacks can cause a whole slew of problems and cost a company a lot of capital.
Who’s at risk for social engineering breaches?
Social engineering attacks happen millions of times a day. There are two broad types: general and targeted.
The general attack works like a mass mail campaign. Millions of emails or messages on social media are sent and the attacker is hoping 0.1% of people fall for the scam. This tactic can easily work on someone who isn’t familiar with how to vet links or who is too busy to fully read a message before acting on the request.
It’s important to double check where the email is coming from, what security encryption is being used, who your reply will go to and if the links go to where they say they will. One misstep and a hacker can get access to one small detail, that can spiral into something bigger.
Typically, your email platform will flag potential hacks like this as spam, but occasionally the hackers are so good and the content is so compelling that it ends up in an employee's inbox.
The other type of social engineering breach is a targeted attack where the attacker spends time gathering information about the victim and crafts a personalized message. High-profile individuals, wealthy people and company executives are the typical targets for this type of attack.
This is an easy scare tactic and if the attacker triggers the recipient in just the right way, they may panic and provide all of the information requested just to ensure they aren’t publicly embarrassed.
The personalized-message attack often ends up in the hands of the CEO or another executive who would have access to sensitive files and information.
Until recently, email was the dominant medium by a wide margin. However, recently, attackers have started to move to social media and text messages.
Many corporations issue employees both a computer along with a mobile phone, which can also provide access to private company information. And, with multiple family members home using the same internet network, vulnerabilities can happen.
So how can you protect your employees and organization?
- Use a VPN that has the ability to analyze traffic for malicious programs.
- Do anti-phishing training. If your company doesn't offer it, there are several free online courses.
- Use a reputable antivirus program.
- Educate employes on controlling personally identifiable information (PII) online.
In the event of a breach, understand the vector and intent of the attack. What was the attacker trying to get from the employee? That should inform all remediation steps. Common steps would be to inform necessary staff immediately, and the employee should lock his or her personal credit report and any other financials.
How can privacy software help?
As business owners already know, you have to spend it to make it. Strategically spent capital can open doors to increasing revenue, and also keep threats out.
A study by IBM showed the average cost of a data breach for a company is $3.86M. That is only the cost to remediate the attack and comply with reporting laws. The effects of the reputational damage to companies' bottom line is harder to calculate, but can destroy a company.
Investing in high-quality privacy software can help mitigate an attack before it becomes a financial and legal disaster. If a breach makes it through to an employee's technology, and they are unaware or delayed to report it, the damage may be too great to recover from.
Let’s talk about a review process.
Here are three things your company should review each year to make sure you are thwarting social engineering breaches.
- Policy is just as important as tools, and compliance is more important than both. An annual review of your company's policies and audit procedures is critical.
- Limit the threat surface of people in key roles. Anyone who has the authority to wire money or initiate payments should be reviewed annually. Social media training, phishing training, and PII control for those people should be reviewed regularly.
- Vector analysis. Research how other organizations in your industry are being attacked and ensure you have programs in place to address those specific threats.