You can have all the sophisticated firewalls and antivirus software in the world, but it still won't protect your biggest cyber vulnerability - your people. When it comes to cyber-attacks, technology is just part of the picture, with the majority of breaches also involving some sort of social engineering or, in other words, manipulating your trusting and helpful employees to get access to your systems.
Social engineers use a variety of methods to trick you and your employees into lowering your defences, whether through email, social media, phone, text, or physical hardware. And while a lot of us might think we would be too smart to fall for their techniques, you might be surprised at how convincing, and successful, they can be.
A lot of the time, social engineers will ask for information that seems innocuous on its own, but which can be used to devastating effect when combined with additional details gathered from elsewhere. For example, they might simply try to find out whether your software is up-to-date, or the name of your IT manager; information which seems perfectly innocent. They also prey on the natural instinct of your employees to be friendly and helpful – particularly those in sales or customer service roles.
The statistics show that plenty of businesses fall for it, with a recent report finding that 60% of enterprises were victims of social engineering attacks in 2016 and nearly a fifth of those (17%) having their company financial accounts accessed as a result. Meanwhile, the Federation of Small Businesses (FSB) estimates that these attacks cost small businesses over £5bn each year. So, it pays to know what to look out for.
Here are some of the most notorious social engineering tactics to be aware of:
According to the FSB, nearly half (49%) of the small businesses hit by a cyber-attack in the last two years were victims of phishing. This kind of social engineering involves a hacker contacting an individual or company, posing as a trusted source, such as their bank or mobile phone provider, and tricking them into sharing certain sensitive personal, financial or business details. It's most likely to happen over email, however social engineers can also use social media, phone, or text messages, to get what they need.
Just like phishing, but this time it's personal, with hackers targeting a specific individual, using details they have gathered from other sources, such as social media. By including this personal information, the communication automatically seems more legitimate and convincing, with individuals much more likely to fall for the attack.
This is where a hacker creates a false scenario to persuade an individual to divulge sensitive information. So, they might pose as your IT provider, saying they need your log-in details urgently, or pretend to be your bank, telling you your details have been compromised and to confirm your identity. In a lot of cases, the social engineer will introduce a sense of urgency to the situation, so you feel under pressure and don't have time to think clearly about the legitimacy of the request.
You also need to watch out for attacks using physical hardware, such as a USB stick or external hard drive, which hackers might leave in your office, or somewhere else you can find it. If you inadvertently install the hardware, you'll introduce malware onto your systems and give hackers access to all your sensitive and confidential data.
What can you do to avoid an attack?
The best way to avoid falling to attack is to make sure all employees are aware of what to look out for, and how to respond if they are targeted. This includes:
Always verify a caller: If somebody calls up out of the blue requesting information, always verify their identity by asking for details they should know.
Call back: If you're unsure of the legitimacy of a call or email, give the company a ring back on a number that you know is authentic.
Beware suspicious links and attachments: Check where an email has come from before downloading attachments or clicking on links. And if you're uncertain, just don't.
Avoiding physical attacks: Check the identity of visitors before letting them into your building, don't leave confidential information lying around, and ensure you lock your computer screen when not at your desk.
Payments processes: Be careful about adding and changing supplier and vendor information, ensuring bank details are provided on company headed paper, quoting a specific reference and/or known point of contact at the organisation. Other best practice checks include calling a phone number you know to be correct to verify the payment details and having the payee confirm receipt of a partial payment before transferring the full balance. It is also advisable to have a dual authorisation process in place, whereby two senior members of staff have to sign off a payment before the bank can make the transfer.
Social media awareness: It's also important that employees understand the dangers of oversharing on social media and have the necessary privacy controls in place.
It only takes one weak link and all your hard work and investment in security is wasted. Read more about cyber security, and the measures you can take to stay protected in our Ultimate guide to cyber security.
And remember, if you do get hit, a cyber liability policy is your final line of defence. Find out more about how it can protect your business in our Insurance 101, or drop us a line at firstname.lastname@example.org.