Many organisations now allow their people to work remotely. However, such arrangements present a great opportunity for cyber criminals, particularly through social engineering. This involves tricking someone into breaching security protocol or giving away information, most often over the telephone or via email but also through direct observation, known as ‘shoulder-surfing’, and unauthorised physical access. Social engineering exploits weaknesses in people rather than technology, preying upon the human propensity towards trust in particular. Often, these exploits are used to gather information to support more targeted attacks, with the initial forays based on the premise of ‘little and often’ so as not to cause concern.
By improving employee awareness and introducing simple technical measures, organisations can protect themselves against social engineering and its potential impact on business, customers and data.
Raising awareness about low-tech attacks that exploit curiosity
During major events, spectators are likely to share pictures and video clips with contacts either directly or via social networking sites. Both are common ways of spreading dubious and potentially harmful software, especially as the use of shortened links and QR codes gives people no obvious clue as to where the link will take them until it is too late. During recent athletics tournaments, for example, spam emails using titles such as ‘are Chinese gymnasts too young?’ lured people into opening emails and downloading hidden malware.
Larger organisations usually have the resources to protect themselves technically, yet they still routinely fall prey to these low-tech cyber attacks which exploit human curiosity. Alerting people to the increased likelihood of such cyber attacks is an important first step. There are also many technical controls that can be implemented, such as using QR readers with built-in security, to help minimise the likelihood of employees visiting sites that present a security risk.
Ensuring employees are suitably apprehensive
Phishing scams (emails apparently from a reputable source, such as a bank, that are used to capture victims’ personal information) rose by 66 per cent during some recent large-scale sporting events and remain a popular method for cyber criminals to get past a company’s defences. Phishing relies on trust, and the ease with which it is possible to make emails appear official.
Organisations can avoid this type of cyber attack by encouraging their people to become more vigilant. Employees should be urged to ensure a source is trustworthy before engaging with it, and to understand what information they should never forward online. In addition, increasing the degree of authentication required to access corporate sites has become a popular solution to this problem, with some banks handing out PIN code devices to customers.
Managing and protecting identities of home working staff
The increase in home working is likely to create a significant risk in calls made to IT help desks, particularly to resolve issues around connecting remotely to corporate networks. Cyber criminals will exploit this vulnerability to attempt to get log-in details so they can gain access to IT systems. A common attack involves impersonating someone in authority to put pressure on helpdesk staff. Implementing stronger identity management and authentication measures, or even simply testing home-working arrangements in advance, could significantly reduce risk.
PA has worked with the UK Government’s Centre for the Protection of National Infrastructure to help define, develop and deliver new national guidance on managing people, physical and cyber risk. The guidance will ensure the UK is at the forefront of enabling organisations across its national infrastructure to reduce counterproductive behaviour.
To find out more about protecting your organisation from social engineering attacks and developing an effective cyber security strategy, please contact us now.