A successful New Jersey business recently retained a cyber expert to evaluate the effectiveness of its network’s cybersecurity. The expert upgraded the company’s systems and educated its employees on how to recognize, prevent and respond to a cyber-attack. The expert then tested the defenses and was unable, despite multiple attempts, to hack into the company’s network. Satisfied that the network was reasonably secure, he decided to try one last trick. Posing as a friendly client who had an upcoming meeting, he called a receptionist and was given a Wi-Fi password which gave him access to the company’s network and sensitive information.
The good news for the company is that the breach was not real. The bad news is that, despite spending thousands of dollars to bolster its network security, the company’s network was compromised with a simple phone call. This is social engineering at its best.
WHAT IS SOCIAL ENGINEERING?
Social engineering is a broad term to describe the practice of using social interactions and deception to obtain or compromise financial or computer information. It can be a cheap, easy and low tech way for hackers and cyber criminals to gain access to a company’s protected information. In fact, the majority of existing malware is designed to trick a user through some type of social engineering scheme rather than exploit a technical flaw in a system or program. This is a wise strategy for hackers since it is estimated that computer users account for more than 90% of cybersecurity incidents.
Social engineering relies on psychology and human nature to manipulate its victims. Famed hacker and social engineer Kevin Mitnick, who is a prominent cybersecurity consultant, observed that people “may know that they shouldn’t give out certain information, but the fear of not being nice, the fear of appearing ignorant, the fear of an apparent authority figure – all these are triggers, which can be used by a social engineer to convince a person to override established security procedures.” The social engineer targets companies and individuals by posing as a legitimate contact such as a client, employee, creditor or vendor in order to further the deception and gain access to company information. They can be friendly, helpful and unassuming or, in the case of an IRS scam, serious and threatening.
Social engineers also target people’s natural curiosity by sending e-mails or social media posts containing intriguing or attention-grabbing headlines and files or articles embedded with malicious links or software. One cyber expert was able to gain access to his client’s login credentials by placing Trojan-infected USBs throughout the company’s parking lot. He correctly assumed that at least one employee would plug the drive into their computer to see what was on it. This is what social engineering is designed to do – exploit human nature to manipulate victims into giving information or access to computer networks.
Social engineering comes in many forms. It can involve direct communication such as phone scams or physical interaction such as “shoulder surfing” or “tailgating” (e.g., a fake delivery person following an employee into a secure area). Social engineers can also monitor social media and other sources to secure personal information to be used in a broader, more significant cyber-attack.
One of the most popular and successful forms of social engineering is phishing, which involves sending e-mail or social media messages to trick a person into providing personal information or to infect a computer system with malware or ransomware. Hackers pose as a trustworthy or recognized entity or may send an e-mail from a hacked account belonging to a friend, business associate or co-worker. More sophisticated hackers use e-mail or websites which appear legitimate and may include detailed business or personal information which makes an attack more difficult to detect. Employees at all levels of an organization are vulnerable to such attacks.
THE COST OF SOCIAL ENGINEERING
The business cost of social engineering and cyber-attacks is eye opening. A study conducted in 2015 estimated that the cost for an average company to contain malware is $1.9 million and that large companies, with more than 10,000 employees, spend an average of $3.7 million a year to address and respond to phishing attacks. Another study estimated that the average organizational cost of a data breach is $7.01 million. The total cost of cyber-attacks on Global business was estimated to exceed $300 billion last year.
Potential costs to companies include expenses for investigation, regulatory compliance, legal and public relations and lost business/revenue. In the case of the theft of customer financial data, a company may also be responsible for costs associated with customer notification and protection and potential fines and penalties for regulatory violations. Long term costs for a company could include increased insurance premiums and the loss of a company’s reputation and good will.
These risks apply to companies of all sizes. IBM recently estimated that small and mid-sized businesses account for 60% of all cyberattacks. Such companies, which are generally less sophisticated and less prepared to deal with cyber-attacks, may make more attractive targets to hackers and cyber criminals.
MANAGING THE RISK OF SOCIAL ENGINEERING
Companies can take certain steps to help mitigate the risk of social engineering. There are many factors that play into evaluating a company’s specific risk but some of the general steps are as follows:
• Establish and maintain an effective cybersecurity program with clear rules/procedures
• Constantly update and monitor computer systems and network
• Educate and train employees and management on how to identify, avoid and respond to social engineering and cyber- attacks
• Create a phishing incident and data breach response plan and rehearse responses to various attacks (“fire drills”)
• Consider purchasing cyber liability insurance to cover the potential costs associated with a socially engineered cyber-attack
• Consider retaining an expert to evaluate and test network security and evaluate a company’s policies and ability to prevent and respond to social engineering and cyber-attacks
Despite the potential dangers and costs of social engineering, companies can help protect their financial and customer information by educating themselves and taking a proactive approach to cyber security.