It’s Halloween time, and real-life cybersecurity horror stories are at the top of many headlines around the globe, they now even target by languages and specific geolocation, like the Magniber Ransomware that targets only users located in South Korea and the Asia-Pacific regions. The Equifax breach threatens most of our identities. There is also “KRACK” (Key Reinstallation AttaCK) which attack destroys nearly all Wi-Fi security, making the Wi-Fi networks we live on practically unsafe – As I said before, horror stories.
Let’s talk about breach fatigue; this is a real thing among consumers and businesses as well. In fact, most expect breaches seems to be inevitable. According to a SailPoint survey earlier 2017, three out of five companies expect to be breached with 33% believing they won’t know they are breached when it happens.
Company employees create most risks. The SailPoint survey also found that 55% of IT respondents believe one of the fundamental reasons that departments – other than IT – represent the most significant risk is the fact that they usually lack the understanding of what actions and behaviours are potentially dangerous.
It is human nature to be trusting and want to be helpful. Hackers know this and have been improving many social engineering* techniques to utilize this psychology for since long ago as part of their ‘job.’ Here are some of them are Tailgating, Baiting, Phishing, and Pretexting.
Piggybacking, or Tailgating – It involves an unauthorized individual following an employee or other authorized individuals into a restricted area. Say, a criminal impersonates a delivery man and wait outside your building. When an employee opens the door to the office area, the criminal asks the employee to hold the door, thereby he gains access, thanks to someone who is authorized to enter the company.
Phishing – The most common social engineering techniques. When a scammers send a text or an email aiming to fake people into believing it comes from a real company and then gets them to share personal information, such as Social Security numbers, account numbers, login IDs and passwords, etc. These criminals then use the information to steal files, identities, money or all of them.
Baiting – Very close to phishing with the only differentiator of hackers using baiting to promise of an item or good to attract the victims. For example, the scammers may offer free downloads if they provide their login credentials to a particular application or website; they can also use hardware to enter the physical realm, i.e., leaving a USB key – loaded with malware – ‘misplaced’ on a desk or on the ground, so whoever finds it will plug it to a computer either out of curiosity or to re-use it and get the better of it, then the malware will infect the computer.
Pretexting – This is a ‘technique’ where hackers create a fabricated scenario where try and successfully steal your personal information. In more advanced attacks, the cybercriminals will try to manipulate the targets into executing an action that enables them to use the structural vulnerabilities of the company. i.e., a hacker who pretends to be an external IT services auditor can manipulate your staff into letting them into your building.
As you can notice above, the key challenge is changing employees’ behaviour and changing the culture, this way they won’t fear cybersecurity practices and can feel like they are working securely every day. In consequence, security awareness training is now a mandatory requirement for companies. Our Security Awareness Training focuses on ensuring your team is prepared to support in keeping your company’s devices and networks safe. The training involves implementing policies that promote security and coaches employees to be able to identify and bypass risks.
The cybersecurity in your organization is only as strong as the faintest line. Security awareness training creates what we call a human firewall, a key to ensuring your employees don’t cross that fine line. Think through that trick or threat balance; you’ll find that the effect of a change in culture where employees see training as something that they want to do rather than need to do translates into a more productive workforce.
Have you or your employees ever been threatened? What “trick” has worked for you?
Find out how vulnerable to cyber attacks is your organization by taking advantage of our FREE Cyber Security Assessment. Don’t take any chances!
* According to Wikipedia: Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme. The term “social engineering” as an act of psychological manipulation of a human, is also associated with the social sciences, but its usage has caught-on among computer and information security professionals.