Cyber Security: Recognize Social Engineering

Social engineering is highly successful because the cyber criminals make their work look and sound legitimate, sometimes even helpful, which makes it easier to deceive users. 

Large companies, like Equifax and Home Depot, are often the target of the most sophisticated and large-scale cyberattacks, but attacks aimed at small businesses can be equally as devastating. Some of the most common social engineering threats include phishing emails, texts or phone calls and malware.

Stay vigilant to social engineering

Small businesses need to do more to protect their IT systems against growing cyber threats. Larger companies have taken significant steps and dedicated significant resources to secure their systems.  As a result, less cyber secure small businesses have become easier targets for cyber criminals.

95% of cyber security breaches are due to human error!

Most small businesses and organizations lack the resources to hire dedicated IT staff and incorporate basic cyber security processes to protect their business, information and customers from cyber threats. Even a small business with one computer or one credit card terminal can benefit from strengthening their cyber security protocols.

Image

Social engineering is used by many criminals, both online and off, to trick unsuspecting people into giving away their personal information and/or installing malicious software onto their computers, devices or networks.  Social engineering is a psychological attack where an attacker tricks you into doing something you should not do through various manipulation techniques. Think of scammers or con artists; it is the same idea. However, today’s technology makes it much easier for any attacker from anywhere in the world, to pretend to be anything or anyone they want, and target anyone around the world, including you.

Social engineering is successful because the cyber criminals are doing their best to make their work look and sound legitimate, sometimes even helpful, which makes it easier to deceive users.  A 2014 IBM study revealed that human error was the primary reason for 95% of cybersecurity breaches.

Most offline social engineering occurs over the telephone, but it frequently occurs online. Information gathered from social networks or posted on websites can be enough to create a convincing ruse to trick your employees. For example, LinkedIn profiles, Facebook posts and Twitter messages can allow a criminal to assemble detailed dossiers on employees. Teaching people the risks involved in sharing personal or business details on the social media can help you partner with your staff to prevent both personal and organizational losses.

Many criminals use social engineering tactics to get individuals to voluntarily install malicious computer software such as fake antivirus, thinking they are doing something that will help make them more secure. Fake antivirus is designed to steal information by mimicking legitimate security software. Users who are tricked into loading malicious programs on their computers may be providing remote control capabilities to an attacker, unwittingly installing software that can steal financial information or simply try to sell them fake security software. The malware can also make system modifications which make it difficult to terminate the program.

The presence of pop-ups displaying unusual security warnings and asking for credit card or personal information is the most obvious method of identifying a fake antivirus infection.

Guard against cyberthreats

Here are 10 tips to help small businesses and organizations to guard against new and emerging cyberthreats:

  1. Develop or review your cybersecurity plan. An effective cybersecurity plan should include strong network security, encryption and authentication technologies. The FCC offers a free cybersecurity planner for small business owners.
  2. Use a firewall and antivirus software. Protect your internet connection by setting up a firewall and encryption. All computers should be equipped with antivirus software and antispyware. Set up automatic software updates on all company devices to ensure security fixes are in place.
  3. Secure your Wi-Fi network. Make sure your Wi-Fi network is secure with password-protected access to your router. Set up a separate guest account with a different password for customers or clients who need to access Wi-Fi, so they don’t have access to your main network.
  4. Protect your devices. Hackers can use a stolen laptop, smartphone or tablet to access your network. Maintain an inventory of equipment, and make sure your employees know to secure any company devices when not in use.
  5. Back up your data. Store data in several places, using off-site and cloud-based services. If you become a victim of a cyberattack, you’ll be able to restore operations quickly without having to pay for a ransomware decryption key.
  6. Strengthen passwords. Enforce strict company-wide policies for creating strong passwords, using different passwords for different applications and changing passwords on a regular basis.
  7. Educate employees. Develop an employee training program to ensure everyone understands security policies and procedures. Schedule refresher courses periodically to keep employees informed.
  8. Increase email security. Train your employees on how to spot a phishing attempt by paying close attention to URLs and reading emails carefully, even those appearing to come from a known sender. Ask them to avoid opening unknown or unexpected email attachments (especially compressed or ZIP files) or clicking on links.
  9. Separate your important data. Reduce the damage of a potential security breach by making sure your data isn’t all stored on one device or in one place. For instance, don’t keep your payroll information on the same device you use to process credit card payments. That way, if one of your devices is compromised, some of your data will still be safe.
  10. Implement an incident response plan. Documenting what to do in the event of a security breach—such as who to notify and where backups are stored—can save your organization valuable time in a crisis.

Cyber training and protocols can make a crucial difference in reducing or eliminating the number of cybersecurity breaches.


References:

  1. https://transition.fcc.gov/cyber/cyberplanner.pdf
  2. https://www.navyfederal.org/resources/articles/small-business/protect-your-business.php
  3. https://www.sans.org/security-awareness-training/resources/social-engineering-attacks/?utm_campaign=2020%20Social%20Media&utm_content=145945029&utm_medium=social&utm_source=twitter&hss_channel=tw-41655252
  4. https://www.ibm.com/developerworks/library/se-cyberindex2014/index.html#:~:text=IBM%20Security%20Services%202014%20Cyber%20Security%20Intelligence%20Index.,names%2C%20emails%2C%20credit%20card%20numbers%2C%20and%20passwords%E2%80%94were%20stolen.
Advertisements