Social engineering has become the conduit of choice for cybercriminals as they work to penetrate networks to cause disruption and financial loss. Unfortunately, it’s a conduit that can be difficult to close.
According to a recent report from the Office of the Australian Information Commissioner*, malicious or criminal attacks (including cyber incidents) accounted for 64% of all data breaches while phishing attacks caused at least 15% of the data breaches reported to its office. Human error is also noted as a critical factor and caused 32% of reported incidents.
Social engineering is used by cybercriminals in a range of different ways. Some use social networking platforms to harvest personal details about individuals and then use that information to craft emails and text messages that appear to be authentic.
For example, a recipient might receive an email that seems to have come from their company’s HR department asking them to confirm personal details. Alternatively, a text message might be received that has apparently been sent by the individual’s bank. It could ask them to enter credit card or bank account details which are then stolen and misused.
Other techniques involve using physical items such as USB storage keys. A staff member could be sent a key that appears to have come from a reputable source and contain important business data. However, once that key is inserted into a corporate PC, the malware contained on it quickly spreads into the organisation’s IT infrastructure.
Create a human firewall
Clearly, human beings are on the front line when it comes to social engineering attacks, yet this doesn’t mean there’s nothing that can be done to improve security. Increasing numbers of organisations are building what’s termed ‘human firewalls’ designed to reduce incidents and prevent malicious attacks.
Human firewalls are groups of employees who are committed to following best-practice steps when it comes to cybersecurity. The bigger the group gets within an organisation, the stronger the firewall becomes.
Creating an effective human firewall to help overcome the challenges of social engineering requires a few important steps. They are:
- Explain the reasons: Begin by explaining to all staff why the strategy is being followed and how important it is for overall IT security. Some may already be very vigilant and aware of potential social engineering techniques, but many may not. Hold an organisation-wide session to kick things off.
- Keep it simple: Corporate cybersecurity strategies can be complex beasts. Rather than trying to inform everyone about everything, start with some simple, practical steps that everyone can immediately follow. These may include not clicking on suspicious attachments or inserting unknown USB drives into PCs. Staff should also be encouraged to report any unusual communications or requests to their internal security team for review.
- Continue the education: Creating a human firewall is not a one-off activity. Staff should be regularly encouraged to remain vigilant and informed of any new threats that might be identified.
- Explain the software you’re using to protect devices. With a strong mobile device management (MDM) partner, organisations can protect company and user data without impacting the end user experience. Explain to employees what the software does and doesn’t look for, and what IT is able to access on their device if they find it is infected.
- Recognise contributions: When staff identify things such as attempted phishing attacks, ensure their efforts are recognised. This will make it more likely that others will take the challenge seriously.
- Don’t forget contractors: Many organisations have contractors who join teams for extended periods. Ensure they are included in the human firewall push and understand their role in keeping IT resources secure.
By following these steps, Australian organisations can help to reduce incidents of social engineering that lead to cyberattacks. Staff can become a strong protective layer that will prevent cybercriminals from gaining access and causing problems.
Humans will always make mistakes, but well informed and motivated humans can actually become a valuable part of an organisation’s overall security strategy.