You can have all the sophisticated firewalls and antivirus software in the world, but it still won't protect your biggest cyber vulnerability - your people. When it comes to cyber-attacks, technology is just part of the picture, with the majority of breaches also involving some sort of social engineering or, in other words, manipulating your trusting and helpful employees to get access to your systems.
Social engineers use a variety of methods to trick you and your employees into lowering your defences, whether through email, social media, phone, text, or physical hardware. And while a lot of us might think we would be too smart to fall for their techniques, you might be surprised at how convincing, and successful, they can be.
A lot of the time, social engineers will ask for information that seems innocuous on its own, but which can be used to devastating effect when combined with additional details gathered from elsewhere. For example, they might simply try to find out whether your software is up-to-date, or the name of your IT manager; information which seems perfectly innocent. They also prey on the natural instinct of your employees to be friendly and helpful – particularly those in sales or customer service roles.
The statistics show that plenty of businesses fall for it, with a recent report finding that 60% of enterprises were victims of social engineering attacks in 2016 and nearly a fifth of those (17%) having their company financial accounts accessed as a result. Meanwhile, the Federation of Small Businesses (FSB) estimates that these attacks cost small businesses over £5bn each year. So, it pays to know what to look out for.
Here are some of the most notorious social engineering tactics to be aware of:
According to the FSB, nearly half (49%) of the small businesses hit by a cyber-attack in the last two years were victims of phishing. This kind of social engineering involves a hacker contacting an individual or company, posing as a trusted source, such as their bank or mobile phone provider, and tricking them into sharing certain sensitive personal, financial or business details. It's most likely to happen over email, however social engineers can also use social media, phone, or text messages, to get what they need.
Just like phishing, but this time it's personal, with hackers targeting a specific individual, using details they have gathered from other sources, such as social media. By including this personal information, the communication automatically seems more legitimate and convincing, with individuals much more likely to fall for the attack.
This is where a hacker creates a false scenario to persuade an individual to divulge sensitive information. So, they might pose as your IT provider, saying they need your log-in details urgently, or pretend to be your bank, telling you your details have been compromised and to confirm your identity. In a lot of cases, the social engineer will introduce a sense of urgency to the situation, so you feel under pressure and don't have time to think clearly about the legitimacy of the request.
You also need to watch out for attacks using physical hardware, such as a USB stick or external hard drive, which hackers might leave in your office, or somewhere else you can find it. If you inadvertently install the hardware, you'll introduce malware onto your systems and give hackers access to all your sensitive and confidential data.
The best way to avoid falling to attack is to make sure all employees are aware of what to look out for, and how to respond if they are targeted. This includes:
It only takes one weak link and all your hard work and investment in security is wasted. Read more about cyber security, and the measures you can take to stay protected in our Ultimate guide to cyber security.
And remember, if you do get hit, a cyber liability policy is your final line of defence. Find out more about how it can protect your business in our Insurance 101, or drop us a line at firstname.lastname@example.org.
Food for thought
It only takes 2 minutes to get a quote.