Cybercriminals are certainly unscrupulous, but it cannot be denied that they’re also persistent and inventive. They will identify and exploit any deficiencies present in an organisation’s security – including your employees.
It may be common for the layperson to believe that the digital world’s lawbreakers are reliant upon specialised skillsets and advanced technology but, in reality, their approaches are more reliant on psychology than technology.
Hackers can gain access to networks by identifying and utilising deficiencies in technical resources but, in reality, most don’t: more than 80% of all cyber security incidents are caused by human error.1
Here, we’ll look at the typical attack vectors cybercriminals use to take advantage of human fallibility and how organisations can protect themselves against them.
Social engineering explained
‘Social engineering’ is a blanket term used to describe the common practices hackers use to trick individuals into providing them with sensitive information or access to restricted virtual and physical locations. Typically, these methods rely on employees’ naivety. Unlawful actors often mimic officious entities to gain trust before then getting their victims to hand over data.
They also regularly send correspondence claiming that either its recipient or their employer will face severe consequences if a certain action is not undertaken. Others leverage curiosity as a means of misleading victims, enticing a course of action that results in devices – and, therefore, potentially networks – becoming infected.
The social engineering frameworks hackers leverage are varied, but the vast majority can be placed into just a handful of categories. Below, I describe these methodologies, as well as outline what organisations can do to counter them.
Undoubtedly the most common attack vector harnessed by hackers targeting employees is the phishing email. One of the most common types of phishing attacks sees hackers create email accounts and templates that mimic a trusted organisation such as a bank or online services provider. These emails, which are sent to employees of targeted organisations, request that users click on a link to, for example, complete a survey, update a password or something similar.
These messages are used in order to get users to unwittingly disclose sensitive information about themselves that criminal elements can use to access their employer’s systems. They can also direct users to a counterfeit login page that will send the credentials the user enters directly to a hacker or direct a user to a compromised website through which their device can be infected. So common are these types of attacks that it has been estimated that as many as one in every 25 branded emails is a phishing attack.2
Similar to phishing attacks, baiting relies on encouraging users to do something that will lead to them compromising their device and, potentially, the employer’s digital infrastructure.
A hacker could, for example, leave a pen drive in a place they know an employee of an organisation they are targeting frequents. This individual could then find the item and, out of curiosity or perhaps a desire to return it to its owner, insert it into a work device. The end result: the device becomes infected and, if not identified, isolated and removed, can go on to infect the organisation’s entire network.
Quid pro quo
Here, cybercriminals contact employees offering goods or services. Sometimes, they request sensitive information in return or, alternatively, simply state that the employer will need to make a change – such as temporarily disabling anti-virus or opening a port so that software can be remotely upgraded – that leaves their organisation vulnerable to attack.
A common example of such attacks involves cybercriminals calling employees and claiming to be from their technical support department and offering to help with a reported problem. Eventually, they will encounter an individual who requires assistance. They can then talk this individual through a series of steps that will result in them providing the attacker with access to their device. They can then infect the device with malware, ransomware etc.
Unsophisticated but nevertheless effective, the tailgating or ‘piggybacking’ attack sees cybercriminals gain access to restricted parts of organisations’ working locations without the necessary authentication.
With access often achieved through something as innocuous as a door being held open by an employee, it’s not surprising that studies have revealed that 70% of organisations believe they are vulnerable to such attacks.3 As a successful attack can not only compromise sensitive data but also put physical property and employees at risk, the need to take such attacks seriously cannot be understated.
Free cyber security audit
Identifying and preventing social engineering
Fortunately, there are steps that organisations can take to address the cyber security threats generated by their employees.
The most effective and, in my opinion, essential thing an organisation can do to protect itself is to provide cyber security training to its employees. Ultimately, they are the flaw that is exploited whenever such an attack is successful and, as the aforementioned statistics show, they’re also behind the vast majority of all data breaches.
The purpose of such training is not simply to provide attendees with the knowledge needed to identify phishing emails, bait etc. but to empower them; to build a platform from which every member of your organisation is able to contribute to your cyber security strategy.
An employee that knows not to click on what could potentially be a malicious link reduces the likelihood of a single attempt to access your infrastructure succeeding; an employee that knows to report such an email to administrators can prevent all attacks from the same source from reaching any of their colleagues.
As important as training is, however, it must be teamed with other cyber security solutions. Anti-virus, firewalls, encryption and, for large organisations, real-time network monitoring are all integral to the creation of a robust and secure network. Implement these without training your employees, however, and it really is only a matter of time before your organisation suffers a data breach – and irreparable damage to its reputation.