It's week 4 of the National Cyber Security Awareness Month (NCSAM) and the theme for this week is "cybersecurity for small and medium-sized businesses and entrepreneurs." Small to medium-sized businesses make up a large portion of the economy, so it shouldn't be a surprise that 70% of cybercrimes resulting in data breaches targeted small businesses. Cybersecurity education and policies are essential for the survival of these businesses.
There are many ways a business can improve their security measures, but technological safeguards will do nothing if a social engineer can get an employee to grant them access to the network. The human element is often the weak link; however, that doesn’t have to be the case. Educating and training employees on security policies and best practices can help them become another line of defense against inevitable social engineering attacks.
Social engineering is a type of cyberattack exploiting the human element rather than directly attacking a network. Social engineering can involve targeted phishing emails (95% of all attacks on enterprise networks result from successful spear phishing), or vishing—a tactic that involves the social engineer actually speaking to the victim over the phone. In either attack the attacker will attempt to impersonate someone or an entity the victim trusts such as the company’s IT department, a supervisor, an admin, Facebook, LinkedIn, etc. In a recent study by McAfee, 30,000 participants around the world were given a 10-question quiz and were asked to identify which emails were phishing ones and which were not. 80% fell for one or more phishing emails.
Social engineering is successful because of a few reasons:
Training, training, training. Cramming for an exam the night before, without having previously studied, is the worst way to go about preparing for an inevitable attack. The once-a-year training session is not enough. Employees may leave these rapid-fire trainings and forget everything they learned by the end of the day. Continuing education and awareness training seems to be the best solution to the human element in cyber security.
In a recent radio interview with Dark Reading, Chris Hadnagy, chief human hacker at Social-Engineer, related an experience his team had with a company that hired them:
“...80% of employees clicked on phishing emails, 90% fell victim to vishing and 90% were duped by one of his team members impersonating a person at the help desk. We went to town educating them, and then in a later test, which we made more difficult, they shut us down,” he said. “We got nowhere.”
Hadnagy’s experience demonstrates the importance of training and how it can help.
Keep the following things in mind when protecting your small or medium-sized business from social engineering: