Social engineering: Employees could be your weakest link

22.10.2015
Would your employees recognize a phishing email if they saw one Social engineering, or the act of attacking the human element of information security, poses a significant risk to businesses. With the level of sophistication of cyberthreats increasing by the day, many organizations can greatly improve the steps they take to defend against these types of attacks. 

Cybercriminals have long used phishing and other social engineering methods to trick their victims into providing access to confidential data, such as passwords, Social Security numbers or account numbers. But those techniques are growing in sophistication, according to Verizon’s 2015 Data Breach Investigation Report.

In addition to the tried-and-true method of sending legitimate-looking emails to unsuspecting victims, cybercriminals are now using social media and other popular platforms to launch their attacks. With many of these phishing schemes targeting employees, business leaders should be aware of the risks that social engineering can pose to their operations, reputation and customers.

While your business may invest heavily in its information security infrastructure, such as firewalls and antivirus software, these measures may not be adequate for mitigating the risk of social engineering attacks. If you want to protect your company from cyberthreats, do not underestimate the importance of the human factor.

Phishing attacks have been a factor in more than two-thirds of cyber-espionage incidents for the past three years, according to the Verizon report. Phishing is one of the most common and efficient (less time, less complexity and low cost) social engineering methods used by cybercriminals.

The Verizon study noted that more than 23% of recipients open phishing emails at some point, and 11% open the attachments — an unsettling number, especially for businesses with hundreds or thousands of employees.

And phishing is on the rise, according to APWG, a nonprofit organization founded in 2003 as the Anti-Phishing Working Group. APWG tracks worldwide information about phishing attacks. More than 197,252 unique phishing reports were submitted to APWG during the fourth quarter of 2014, the latest time period for which data is available. This was an 18% increase from the prior quarter.

Spearphishing is a specific type of phishing attack in which the attacker uses a fake email address to deceive an individual in an attempt to gain unauthorized access to personal information. This is a highly targeted operation in which the hacker has at least some information that he can use to make himself seem familiar to the intended victim.

Social networks are increasingly being used to perform spearphishing attacks. Cybercriminals can also use crawling sites to gather information from social media. And some are even using Google Drive to stage phishing attacks.

Here are just a few examples of the types of phishing attacks that you or your employees could fall victim to:

In addition to establishing an information security program and using firewalls and/or content filtering to restrict access to potentially malicious information, it is important to train your employees.

Social engineering phishing testing can help you identify vulnerabilities and monitor the effectiveness of information security policies, procedures and training at your company. In these tests, an email with a fake link is sent to targeted employees. Employees who click on the link will be taken to a website with training resources about phishing, and test performance is measured and reported to management. A qualified consulting firm can assist your company by performing this testingquarterly or semiannually.

The greater an employee’s awareness, the less likely he or she will fall victim to social engineering attacks. In addition to conducting phishing tests, you can train employees on email and browser security best practices, including these tips:

Your employees can also be one of your company’s greatest vulnerabilities in the face of growing cyberthreats. However, with proper training, they could also be one of your best defenses against social engineering attacks.

Alejandro Mijares, MSIS, CISA, is a risk advisory services IT manager in Kaufman Rossin’s Miami office. Kaufman Rossin is one of the Top 50 accounting firms in the U.S. and provides IT security consulting services to businesses and financial institutions. You can reach Alejandro at amijares@kaufmanrossin.com.

(www.computerworld.com)

By Alejandro Mijares

Zur Startseite