Reducing the threat of social engineering to cyber security
Remote working and home working present a new risk to cyber security, and particularly through a technique known as social engineering. This involves tricking employees into breaching security protocol or giving away information, most often over the telephone or via email but also through direct observation, known as ‘shoulder-surfing’, and unauthorised physical access.
Social engineering exploits weaknesses in people rather than technology, preying upon the human propensity towards trust in particular. Often, these exploits are used to gather information to support a more targeted cyber attack, with the initial forays based on the premise of ‘little and often’ so as not to cause concern. Employees at all levels, including senior executives, are vulnerable.
By improving employee awareness and introducing simple technical measures, organisations can protect themselves against social engineering and the risk of a cyber attack and its potential impact on business, customers and data.
Raising awareness about low-tech cyber attacks that exploit curiosity
During major events, spectators are likely to share pictures and video clips with contacts either directly or via social networking sites. Both are common ways of spreading potentially harmful software, especially as the use of shortened links and QR codes gives people no obvious clue as to where the link will take them. During recent athletics tournaments, for example, spam emails using titles such as ‘are Chinese gymnasts too young?’ lured people into opening emails and downloading hidden malware.
Larger organisations usually have the resources to protect themselves technically, yet they still routinely fall prey to this type of low-tech cyber attack. Alerting employees to the increased likelihood of such cyber attacks is an important first step. There are also many technical controls that can be implemented, such as using QR readers with built-in security, to help minimise the likelihood of employees visiting sites that present a risk to cyber security.
Ensuring employees are alert to phishing scams
Phishing scams (emails apparently from a reputable source, such as a bank, that are used to capture victims’ personal information) rose by 66 per cent during some recent large-scale sporting events and remain a popular method for cyber criminals to get past a company’s defences. Phishing relies on trust, and the ease with which it is possible to make emails appear official.
Organisations can avoid this type of cyber attack by encouraging their employees to become more vigilant. Employees should be urged to ensure a source is trustworthy before engaging with it, and to understand what information they should never forward online. In addition, increasing the degree of authentication required to access corporate sites has become a popular solution to the threat from phishing, with some banks handing out PIN code devices to customers.
Managing and protecting identities of home working staff
The increase in home working is likely to create a significant risk in calls made to IT help desks, particularly to resolve issues around connecting remotely to corporate networks. Cyber criminals will exploit this vulnerability to attempt to get log-in details so they can gain access to IT systems. A common cyber attack involves impersonating someone in authority to put pressure on helpdesk staff. Implementing stronger identity management and authentication measures, or even simply testing home-working arrangements in advance, could significantly reduce risk.
PA has worked with the UK Government’s Centre for the Protection of National Infrastructure to help define, develop and deliver new national guidance on managing people, physical and cyber risk. The guidance will enable organisations across the UK's national infrastructure to strengthen cyber security, including developing a more effective response to social engineering.