In this blog, we discuss the importance of organisational culture to cyber resilience and security. While technical safeguards are important, the rise of social engineering as a method of breaching an organisation’s security means that technical solutions alone are likely to be ineffective. Consequently, employees are often your organisation’s first line of defence to prevent cyber criminals from accessing, stealing, corrupting, or undermining its critical information infrastructure and valuable data assets. So, what is social engineering and how can organisations effectively guard against it?
What is social engineering?
Social engineering is a form of cyber attack where scammers manipulate individuals into disclosing confidential or sensitive information. Social engineers circumvent sophisticated technical security systems by playing on the curiosity and diligence of well-meaning employees. Social engineering is attractive to attackers as it requires less technical skill to achieve than more traditional cyber attacks, is cheap to implement on a broad scale and is likely to achieve results.
Phishing is one of the most common forms of social engineering and uses email as the attack vector to cause individuals to reveal bank details or other sensitive information, reveal company trade secrets or allow malware or other viruses onto their computers. Phishing emails usually appear to be from a legitimate source and contain a hook which causes individuals to feel that they should immediately open the email and provide the information requested or otherwise comply with its demands.
A simple example of phishing is receiving an email that appears to be from your electricity provider alleging you have an overdue bill. The email may then require you to enter payment details or click on a link to contest the payment, allowing malware to be installed onto your computer. Of course, there are likely to be signs that this is not a legitimate email. Most obviously, it may not be from your electricity provider. However, this is not an issue for hackers who can send a large quantity of emails at a very low cost to them, which are likely to strike a chord with a number of recipients.
While most savvy internet users would not be fooled by the example given, methods of social engineering are growing in sophistication and effectiveness.
In fact, phishing attacks are surprisingly effective, with Verizon finding, in its 2017 Data Breach Investigations Report, that 7.3% of users were successfully phished, whether via a link or an opened attachment.
This high open and click reported by Verizon are likely due to the advent of spear phishing, the name given to more targeted phishing attempts, in which attackers research information specific to an individual or organisation to add legitimacy to their phishing attempt. By giving small pieces of accurate information, even information which is publicly available, phishing expeditions are much more effective and have the potential to result in greater adverse consequences and harm for organisations. A common example of spear phishing is contact that appears to be from within an organisation, such as a request from the IT Help Desk for an employee to reset their password. These are much more difficult to guard against as cooperative employees are less likely to be on alert when receiving an internal request and are more likely to assume that this is a legitimate request.
How to guard against social engineering
Social engineering is particularly difficult for organisations to prevent, as there is no technical solution which can be implemented to counter it. The challenge for organisations is to cultivate an organisational culture in which employees are encouraged to identify suspicious attempts to access information and respond appropriately. So how does an organisation go about doing this?
- Training – Educating employees is essential to deflecting social engineering attempts. Organisations should aim to cultivate healthy scepticism in employees surrounding any unsolicited communication and build guidelines around what types of information employees can and cannot disclose to external and internal sources. An interrogation of the different pretexts which attackers are likely to use is also a good focus for training. Training should occur on a regular basis and form part of the induction process for all new employees, as it only takes one weak link in the chain for a security breach to occur.
- Special training should be considered for employees in customer-facing roles, such as receptionists or call-centre staff, as many security breaches occur as the result of unintentional oversharing in an effort to be helpful.
- Developing a policy around passwords incorporating complete secrecy, use of strong passwords and frequent changes can also be helpful. This will mean that employees will be on alert if their password is requested by anyone.
- While training is crucial in educating all employees, Cisco recommends promoting top-down security culture as an effective way to increase resilience against social engineering. Social engineers will likely target employees at all levels and this threat will be best addressed in a culture where employees feel that maintaining security is a central part of their role in the organisation. This must also be paired with a culture where employees feel comfortable to come forward, especially if they may have enabled a breach.
- Implementing a system of reporting for attempted breaches or suspicious communication is also an effective way monitor social engineering and identify patterns. It will also help employees keep social engineering at the forefront of their minds. Alerts should be sent out if there are any organisation-wide threats identified.