Seeing the Bigger Cyber Threat Picture: The Impact of Social Engineering
We know that cyber threats remain a constant problem for every business.
Zscaler ThreatLabz, for example, noted that ransomware attacks increased by 80% between February 2021 and March 2022 compared to the previous year, setting new records for both the volume of attacks and the cost of damages.
But those attacks are part of a larger, overarching threat, notes Dan Roberts, Security Technician at Cooperative Systems: Social Engineering. Attack types, including phishing, whaling, diversion theft, often the genesis of ransomware and malware, baiting, pretexting, scareware, and more, are all examples of Social Engineering-based hacks.
It’s All About People
“One of the key issues we see regarding most organizations’ cybersecurity challenges is simply people being human and making human mistakes,” he says. “Through Social Engineering, hackers take advantage of that vulnerability by tricking employees into compromising your security and unknowingly revealing sensitive information that helps them gain access to your systems and devices.”
He uses business e-mail compromise (BEC) as an example.
“It’s one of the larger types of Social Engineering scams we’re experiencing among our clients,” Roberts says. “Think about how many emails your employees get every day. One only has to appear as if it’s from a legitimate source — part of the psychology hackers use to get a response — for sensitive information like credentials, proprietary information, passwords, and more to get out.”
Other examples include hackers posing as CEOs or other high-ranking officers at companies spoofing email addresses that are virtually undetectable from the real thing until they’re clicked on or “typosquatting,” where someone sends a website domain address that is close to a legitimate domain, opening the door to malware, ransomware, and more when it’s clicked on.
Understanding the Impact
Here are a few key statistics that help put Social Engineering’s impact into perspective:
- According to the ISACA (formerly the Information Systems Audit and Control Association) State of Cybersecurity 2022 Report, Social Engineering attacks were the #1 attack type in 2022.
- IBM’s 2022 Cost of a Data Breach reports that the price tag of the average Social Engineering-related breach is $4.1 million.
- The IBM report also notes that Social Engineering-based data breaches took 270 days to identify and contain.
- Verizon’s 2022 Data Breach Investigations Report reveals that 82% of data breaches are based on human error (people responding to spoof emails, texts, etc.).
- Arctic Wolf’s 2022 State of Cybersecurity Trends report found that 90% of cyber-attacks target your employees, not your tech.
If you do experience a Social Engineering attack, the key to getting up and running as quickly as possible is responding as quickly as possible. Make sure that your employees reach out to you as quickly as possible should they think they’re the victim of an attack. In turn, reach out to your cybersecurity support resource so that they can help contain any threats.
“Time is certainly of the essence when it comes to any sort of incident,” Roberts notes.
Companies are also more invested in preparing for such attacks.
“We’ve seen a major push from cyber liability insurance providers and several different compliance agencies. They’re really upping the ante when it comes to what’s required of these companies — especially in terms of incident response plans — to be able to maintain the compliance, certifications, and other credentials they need to get insurance policies,” he says. “And most companies realize that this kind of coverage is key to protecting themselves, their employees, and their clients.”
“We always like to think in terms of prevention,” says Roberts, “and nothing is more effective than educating employees; making them aware of Social Engineering scams and what to look for.”
A few key steps include:
- Be skeptical and cautious. Have employees adopt a healthy dose of skepticism when it comes to unexpected or unsolicited requests via email or text, especially if they involve sharing sensitive information or performing unusual tasks. They should question the legitimacy of the request and verify its authenticity through alternate means.
“Often, these requests come in as urgent or time-sensitive,” says Roberts. “That’s one clue that you need to pay close attention to.”
- Verify the source. Encourage employees to independently verify the identity of the person making the request, particularly when receiving emails, phone calls, or messages that seem suspicious. They should use known contact information — not the information provided in the suspicious communication — to reach out and confirm the request.
“If, for example, the employee gets an email from a random Gmail account that’s saying that it’s their manager saying that they need to get a Target or Amazon gift card for a company event, that should be suspect,” he says.
- Think before clicking. Remind employees to exercise caution when clicking on links or downloading attachments, especially from unknown or untrusted sources. Encourage them to hover over links to see the actual destination URL and scrutinize the email address or domain name to detect any discrepancies or inconsistencies.
- Strengthen password practices. Promote the use of strong, unique passwords for all accounts and emphasize the importance of not sharing passwords or using the same password across multiple platforms. Encourage employees to enable two-factor authentication (2FA) whenever possible, as it provides an additional layer of security.
- Stay updated on security measures. Keep employees informed about the latest security protocols and measures implemented within the organization. This includes regular training sessions and awareness campaigns to educate them about current Social Engineering techniques and how to identify and report potential attacks.
- Report any suspicious activities. Establish a clear reporting mechanism for employees to report any suspicious activities or potential Social Engineering attempts they encounter. Encourage them to report incidents promptly to the appropriate IT or security personnel, ensuring that they feel supported and that their concerns are taken seriously.
“These may seem like common sense tips and this list is certainly not comprehensive,” he adds. “But these points represent the kind of thinking and preventive measures you want your people considering.”
“What sometimes surprises me is the number of people that — even given all the news and information out there about Social Engineering and hacking — still don’t believe their business could be victimized,” continues Roberts. “One of the misconceptions is that your threat actors are only going to go after Fortune 500 and other big companies; that they have no interest in smaller companies. Any business, large or small, is subject to attack, so it pays to be prepared.”
To learn more, download our complimentary Social Engineering Red Flag guide. And for more information about our enhanced cybersecurity offerings, including in-depth cybersecurity awareness training for your employees, visit our website.