“Why would I hack a password when I can just ask for it?”
A legendary quote on social engineering which sums up the human factor when it comes to cyber security. It represents one of the greatest threats organisations face and one of the easiest to take advantage of: targeting psychological and behavioural traits of users rather than trying to attack system vulnerabilities. With one successful phishing email, threat actors can undermine thousands – sometimes hundreds of thousands of dollars invested in cyber security protection.
The latest Notifiable Data Breaches Report by the Office of the Australian Information Commissioner (OAIC) shows Phishing as the leading source of cyber incidents, accounting for 28% of overall cases during July – December 2023. While the stats look daunting, reducing these risks starts with building cyber awareness and training into your security strategy.
Cyber incident breakdown – July to December 2023
Source: OAIC.
Types of social engineering attacks
Social engineering targets human vulnerabilities to access personal information and secure systems. These mimic reputable contacts and usually impress a sense of urgency on the recipient. Below are a few common types:
Phishing: These include the emails, texts, and phone calls many of us have grown used to receiving. Phishing attempts trick someone into sharing sensitive information such as credit card numbers, purchasing gift cards for the CEO, or verifying login details.
Whaling: Targets high-ranking individuals such as executives and uses personalised communications that involve critical business matters requiring immediate attention. These types of attacks give good reason for executives to understand and recognise phishing attacks.
Business Email Compromise (BEC): These phishing attacks are difficult to recognise because they target people using a breached, legitimate company account. They often target people who manage financial information and transfers to trick the person into sending payment to the threat actor’s bank account. BEC scams rely heavily on social engineering techniques that exploit the trust between colleagues.
How social engineering bypasses defences
Even if your organisation has the right technology to prevent attacks, successful social engineering will undo those efforts. A few ways threat actors bypass your defences include:
Exploitation of fear and urgency: Threat actors use fear and urgency to provoke panic and impulsive actions. Communications demanding immediate attention, such as security breaches, legal matters or rejected financial transactions, can lead people to hastily work with a threat actor to resolve an ‘issue’.
Manipulation of trust and authority: Social engineers rely on people’s trust in leadership. They can extract confidential information or gain access to restricted areas by impersonating senior executives or legal authorities.
Email filtering limitations: Email filtering solutions can successfully keep many phishing emails out of inboxes, but these filters will not catch everything. Attackers will attempt to build emails that appear legitimate. They might also use a breached account to raise fewer questions and more easily bypass security measures.
Contacting people outside the company’s purview: Threat actors may attempt to target people via social media or their personal email outside of work hours. They might send messages exploiting personal connections on LinkedIn or Facebook, for example, by pretending to be colleagues or trusted company representatives.
3 ways to secure the human factor
“Cyber security training transforms potential targets into proactive defenders.”
Rather than provide threat actors with a way into your organisation, your staff can raise potential threats immediately and prevent them from becoming bigger problems. We recommend:
1. Conducting regular training
It is not enough to complete one-off security training when someone joins your organisation. Your company should regularly hold training that covers the latest threats and tactics.
Short, drip-fed, regular updates keep team members alert to evolving risks and constantly vigilant to attack attempts. These sessions reinforce security protocols and introduce new practices to enhance defences.
2. Simulating social engineering
While making mistakes is an excellent way to learn, learning at the expense of a breach is not the ideal lesson. Simulated phishing provides employees with practical experience in recognising and responding to these threats without putting the organisation at risk.
By staging these scenarios, employees can develop a hands-on understanding of the tactics used by cybercriminals, which enhances their ability to identify suspicious requests and avoid potential breaches.
3. Building a security culture
A security-minded culture encourages everyone to do their part in protecting the organisation. Establishing clear protocols for responding to and reporting threats empowers staff to act confidently against potential security breaches.
Company culture starts from the top down. The leadership team should exemplify security-minded behaviours and prioritise strong security practices across the company.
It’s essential to foster a culture of scepticism and verification when dealing with requests for sensitive information, ensuring employees consistently confirm the legitimacy of such requests before responding.
Conclusion
Cyber security solutions can stop threat actors from targeting vulnerabilities in your technology environment and improve your security posture against most attack vectors. However, they cannot eradicate the threat of social engineering attempts.
An effective cyber security strategy requires a balanced approach that leverages the right cyber security technology and solutions, and also focuses on securing the human factor.
Conducting regular training programs educates people on the latest threats and security practices to help them identify and respond to attacks. Simulating phishing attempts will further cement the tactics to look for in suspicious communications. Securing the human factor also involves cultivating a security-centric culture within the organisation, facilitated by promoting open communication about potential threats and simplifying the reporting process for suspicious activities.
Build a proactive cyber security strategy with Netier
At Netier, we believe that proactivity and awareness are the best approaches to cyber security. We implement solutions to strengthen your cyber security posture and complement that with cyber awareness education and training.
Whether you are starting your cyber security journey or want to enhance your existing cyber security posture, our experts can assist by reviewing your current systems and tailoring a comprehensive strategy to strengthen and protect your business. Book a call with our team to learn more about our approach.