It’s no secret that people are often the weakest link in the cyber security chain. More than 50 percent of security breaches are due to human error. But is it as simple as pointing to gross carelessness or negligence for these mistakes? Oftentimes basic human nature can be exploited by social engineers who are skilled and opportunistic. If social engineers can find a weak spot in your company’s staff, that’s where they’ll aim first.
Let’s dig a bit deeper into the reasons social engineers are successful.
Reason #1: People Care, Machines Don’t
If you are emailing a critical report and the file is over the size limit for your mail server, your file isn’t going to go through. After all, the mail server could care less if your job depends on it being delivered. But people are more forgiving. They don’t want someone to get fired because they couldn’t email a report in time so they usually try to help out.
However, that willingness to help can turn into an opportunity for a social engineer to strike. A spear phishing email impersonating your boss might say, for example, “I’m doing a presentation for one of the Vice Presidents in 10 minutes and the print store screwed up my order. Can you print the files on the USB drive please? I’m done for if I screw this up!”
In this instance, you’d probably think you’re simply helping a co-worker instead of enabling a potential attacker.
Reason #2: Workers Don’t Practice Cyber Security Hygiene on Social Media
While social and professional networks are excellent information and communication tools that make our lives easier, they’re also sources of a lot of intel for social engineers. As Nick Hayes from Dark Reading put its, “Cyber criminals weaponize social media sites and their data.”
In their 2016 Beyond the Phish Report (a survey of over 100 security professionals), Wombat Technologies found that 31 percent of respondents missed assessment questions they answered related to safe social media practice in the workplace. Overall, oversharing corporate information on social media and proper data handling remain cyber security risk factors.
Reason #3: Employees Sometimes Have a ‘Not My Problem Attitude’
Just as much as workers’ caring and helpful nature can be used against them, so too can their lack of care. Lack of care isn’t always the same as being completely negligent. There are plenty of examples of workers who know something isn’t right or more cautious actions need to be taken but they are too preoccupied to follow through.
Here’s a conversation that happens all too often:
Employee 1: “I’ve never seen this person in our building before.”
Employee 2: “Must be a new guy or a visitor. Oh well, I’m sure someone knows why he’s here.”
It’s convenient to depend on someone else to have the answer; it’s inconvenient to take an extra step out of a busy work day to find the answer. Social engineers depend on that attitude to slip through the cracks.
Reason #4: People Mean Well, but They Are Forgetful and Process-Prone
The reality is that no matter how much cyber security training and education employees get, there is a tendency to fall back on basic human and workplace instincts. Breaking old habits is always tough.
For example, when checking email, it’s only natural to want to click a link or an attachment, especially if you’re in a rush. Social engineers are counting on that impatience as well. There is so much going on in any given work day that these lapses in judgment happen easily.
So how do we help stop this type of behavior? Can we at least curb it enough to prevent social engineers from being successful?
We can prepare the workforce with the right tools and approaches to act appropriately. Here are four important fundamentals your workforce should practice:
- Stay Aware and Educated: If your staff isn’t aware of the different threats that exist, they have little hope of detecting or defeating social engineering. Provide regular updates on new threats and tactics, and what may signal a social engineering attempt.
- Verify Suspicious Activity: If something doesn’t seem right, verify it. Check badges, access requests, phone numbers, websites, and email addresses. Look people up on LinkedIn or their company’s website to see if they work where they say they do. People need to have confidence when challenging suspicious activity, whatever that may be. It’s critical that employees know that leadership will have their back, even if it causes an inconvenience or delay.
- Analyze Before Hitting Send: Before sharing any information, consider the ramifications of that data being made public. Who could use it? Would it be embarrassing? How could it hurt your company or your customers?
- Always Err on the Side of Caution: Sensitive company data is subject to release the same way classified information is. If in doubt, consider it sensitive and internal only. Pick up the phone to call your colleague before sending them your company’s W2 information, for example, to make sure it’s a legitimate request, instead of just emailing it without question. It’s better to err on the side of caution than risk making something available to malicious actors. This applies to information and requests coming from within and outside your organization.
Following some basic defense techniques will deter adversaries and make their job significantly harder while making you and your company significantly safer. For example, we recommend you start with a mandatory cyber hygiene course that all staff attend. This is a cost-effective way to reduce cyber security risk and educate your workforce.
Learn more about our cyber security training courses, and view our on-demand webinar, “How to Invest Your 2017 Cyber Security Training Budget for Maximum ROI.”