Posted on Mar 12, 2018
It is an unfortunate reality for the executives of successful businesses that hackers are resolute to use online trickery and social engineering techniques to gain access to valuable and proprietary corporate data. Executives need to be fully aware of the risks, make proper investment in effective security measures, and institute training programs to propagate awareness to all employees on the recognition and prevention of social media attacks.
Social Engineering Is On The Rise
Social engineering spans multiple information security topics including social engineering, phishing, spear phishing, pre-texting, baiting, quid-pro-quo, ransomware, vishing, angler phishing, and more. Although each of these social engineering attacks may be unique in their specific approach, they all have similarities including:
The cost of risk and potential cost of breach from from socially engineered attacks should not be underestimated by executives.
According to the 2017 U.S. State of Cybercrime Survey, the human attack surface [is estimated] to reach 6 billion people by 2022” and ...
Five action times to help minimize the risk of breach from social engineering attacks include:
1. Require staff to have an incident response action plan
When it comes to social engineering, it’s not a matter of if but of when. No amount of spam and traffic filters and other technologies has perfect foresight. Regardless of where an attack comes from, businesses must be ready with an effective incident response plan. Organizations need to ensure staff has a proper incident response that defines procedures at every step of the process, from providing mechanisms for non-IT employees to report incidents to considering the addition of security controls to help prevent future incidents.
It’s important to have a simple, easy-to-follow incident response plan that can be understood by non-technical resources. A one pager with information about who to call from law enforcement to legal, IT security, and so on.
2. Don’t neglect employee cybersecurity training
Studies have shown that security training for employees is an extremely effective way to minimize the risk of breach from social engineering attacks-- one such study by Wombat Security and The Aberdeen Group showed a 70% reduction in social media attacks after relevant training. CxOs should ensure their company has a successful information security awareness education program that covers important social engineering and information security topics including:
Time with each employee on these topics can go a long way to preventing a potentially devastating breach because an employee is knowledgeable on how to prevent socially-engineered attacks. Businesses can look to third-party resources to provide tools to measure employee satisfaction and deliver effective cybersecurity training, but at minimum all employees should know that if they have any suspicion, they should feel confident saying that the organization’s security policies don’t allow information to be shared.
3. Ensure investments in high impact technical security controls are in place
This consideration is a given for any business executive that is serious about cybersecurity – ensure your business has prioritized and funded the acquisition of effective security controls.
Some security control protections against social engineering schemes include configuration and patch management, endpoint malware protection, backup and disaster recovery, social engineering testing, Intrusion Detection Systems and Intrusion Protection Systems, vendor risk management systems, and threat monitoring, a robust security ratings service to monitor your efforts, among other controls.
Today, 80% of the budget goes to reactive technologies like firewalls or anti-virus software, and only 20% of the budget goes to proactive technology. By investing more in proactive technology, organizations can better combat cybersecurity threats.
By operating off the assumption that the organization will get breached sooner or later, the focus becomes not if you will get hacked but how to make it as hard as possible for an attacker to infiltrate the rest of the organization if you do.
An example from my former CISO days:
One time I conducted a red team exercise, and the consultants I hired sent an attachment to a few engineers in our company saying, “It’s hard to hire great engineers - here is a resume of an amazing developer in NYC - take a look.”
The attachment contained a crafted malware that was not detected by any of our other systems - and then they used the infected computer to spread to the rest of the organization.
The lesson for our team was that it’s worth investing in the right controls and processes to make a propagation like that one as hard as possible.
Organizations that invest in proper security controls have been shown to decrease the number of successful attacks and cost from remediation. For example, a recent study by Hewlett Packard showed that companies that “deploy advance backup and recovery operations ... reduced the average cost of cyber crime by nearly $2 million” and “companies [that] reported having a formal information governance program ... [were]shown to reduce the cost of cyber crime by nearly $1 million.”
4. Invest in methods to uncover typosquat websites
Although not necessarily related to the prevention of a staff member being compromised by a social engineering attack, this is an extremely important consideration for business executives. Many successful social engineering attacks start with a spoofed online entity that looks like it is legitimate. Typosquatting refers to when an attacker sets up a fake online presence to deceive potential attack targets that they are going to a legitimate site. Executives that have a significant client base, that themselves could be fooled by a social media attack, should consider enlisting a service that can report on typosquat websites that may be the foundation of a criminal social engineering effort. Similar to the first consideration above, executives should ensure their staff have in place an incident plan in place for any uncovered typosquat websites, which can include client education and legal action.
5. Ensure employee personal information is tightly controlled
Many social engineering scams are target known individuals within an organization. Executives should drive security programs to ensure hackers can’t easily pull up a contacts list of employee emails, titles, phone numbers, or other personal information online that might help tailor an attack to an individual. To this end, organizations can look to subscribe to services that continually mine the internet for references to employee personal information that is much easier to get than it should be. (A key capability of SecurityScorecard is its ability to surface a broad range of potential social engineering issues such as employees using their corporate account for online services, employees being listed in publicly available marketing lists, employee dissatisfaction, and employees publishing online posts to social media using their corporate information.)
Social engineering based attacks are not going away anytime soon. If anything, they’re becoming more targeted and sophisticated. By considering these five action items above executives can take another step toward creating a real defense against these threats.
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of IT security risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.