With the rapid emergence of new IoT devices and cryptocurrencies comes with it, a plethora of new security vulnerabilities for social engineers to exploit and work their way into an organisation’s sensitive data. But the real question is – what is a social engineer?
You have probably heard the phrase “humans are the weakest link” being tossed around within the cybersecurity sphere. But what does this really mean, particularly within the context of social engineering? Well, what if I told you human psychology could be leveraged to steal an organisation’s sensitive data?
According to CSO Online, in an on-site security vulnerability test conducted by Lares, a Colorado-based security consultancy, founder Chris Nickerson was able to illegally enter the company building, bypassing reception and fooling employees to believe he was a Cisco employee on a technical support visit. He was able to give other members illegal access, drop several malware-laden USBs in locations where people were likely to forget things, and hack into the company’s network. And all he needed was a knowledge of current events, public information available on social network sites and a $4 Cisco shirt he purchased at a thrift store.
As human beings, it is inherently in our nature to trust. We want to trust our co-workers; we want to trust each other. Social engineers take advantage of that. Essentially, social engineering is defined as the process of manipulating people into giving away their confidential, private or privileged information or access instead of just relying on technical hacking techniques. A modern social engineering hack could range from a phishing email that sent from a false sender masquerading as a senior manager, urgently asking for unpublished financial reports to be sent through, to gaining illegal building access by asking other employees to keep the door open for them by emphasising that their hands are full.
DEFENDING YOUR ORGANISATION
- Awareness is key – Build a company culture that is cyber aware. Have a solid security awareness program that trains your employees to understand general targeted cyber threats such as phishing emails, as well as the dangers of having too much personal information online. Get the support of C-Level executives and hold a demonstration of what a malware-laden USB is capable of in the company lobby.
- Procedures, processes and policies should be reviewed incrementally – Ensure that the appropriate controls and standards are followed for the classification, handling and disposal of public, private and confidential data. Run tabletop exercises that test the company’s incident response plan and identify areas of vulnerability.
A cyber breach will happen. It is not a question of if, but when. And with social engineering on the rise, it’s best to be prepare your organisation before it does.