Over the last couple of decades, cyber-attacks have certainly advanced. 10 years ago, protecting your network behind a business-class firewall was enough to thwart most attacks. First, your network was set up, and then security was put in, as an afterthought. That was good enough for most businesses. But now, businesses and data are moving into cloud environments at a substantial pace. The cloud allows for security to be integrated more easily into your network than ever before.
Along with a change in technology, and an increase in cyber-security knowledge within the Information Security field, comes an evolution in the way hackers and other cyber criminals are targeting your business.
Cyber criminals are now implementing what is known as social engineering attacks. Simply put, a social engineering attack is where a hacker will manipulate a member of your organization into providing financial or confidential information, or perhaps performing desired actions through nefarious means.
Common social engineering attacks include phishing, pretexting, baiting, quid pro quid, and tailgating.
An example of a common social engineering attack is the purchase of gift cards. Cyber criminals will use spoofed emails that mimic those of your organization. Oftentimes they will choose the email of the CEO, CFO, or some other high ranking officer within the organization. This email will then be sent to another member of the team stating that the officer will need the employee to purchase “x” number of gift cards and send them to a particular address. In reality, the CEO sent no such email and has no idea the purchase has been made. Time and again when this is discovered, it is too late; the money is already in the hands of the hacker.
Another common attack is the frequently used “looks like your password has changed” email imitating Microsoft or some other big trustworthy company that your business uses which includes a link to conveniently reset your password. The link takes you to a site that looks identical to Microsoft, but is in reality a way for the hacker to gain access to your email account, and in turn your network.
There are a number of ways to mitigate the risks of social attacks. Security awareness training within your organization can be a great benefit to educate your employees on the types of attacks that exist. Two-Factor or Multi-Factor Authentication (2FA / MFA) is a second way to increase security. This involves having a special code sent to your cell phone, email, or another source that you must input in addition to your email credentials.
There are also other security measures that can be put in place. Knowing the latest threats and working with a vendor that keeps up with industry best practices is paramount to business continuity and security. Best practices include restricting and managing permissions, requiring strong passwords that are changed often automatic encryption of data, and having automated monitoring and reporting focused on security.
If you would like more information on ways your business can be protected from social engineering attacks, please reach out to us for a consultation.