Of course, such tactics are not new. We regularly see spikes in social engineering tactics around major events and catastrophes. Criminals respond to hurricanes and other natural disasters by pretending to be relief organizations, and major sporting events such as the World Cup where they lure victims with promises of discounted tickets or free streaming services.
Social Engineering Works
The reason that social engineering – an attack strategy that uses psychology to target victims – is so prevalent, is because it works. According to Verizon’s 2019 Data Breach Investigations Report (DBIR), nearly one-third of all data breaches involved phishing in one way or another. Cybercriminals are opportunistic, and they constantly prey on the only vulnerability that cannot be patched – humans.
It is a perpetual bombardment, every minute of the day, 24x7x365. And the odds are in the favor of the attacker, because they only need one unsuspecting person to click on a malicious link or attachment to open up the gates into the corporate network. And the truth is, nobody is immune – from entry-level employees, contractors, and interns at one end, on up to the C-Suite at the other. Business partners can also be indirect targets, mining them to obtain information to soften up targets. And for those of us now connecting to the office through our home networks, even our children are potential targets. Even seasoned security professionals get caught off-guard, in part because attack tactics have become more sophisticated.
The goal, of course, is to gain access to our networks and sensitive information, either to steal it, corrupt it, or hold it for ransom. Most often, however, spear phishing is just the tip of the attack, and can easily go unnoticed by a victim who has been compromised.
Training Alone is Not Enough
Of course, cybersecurity awareness has grown – up to 95% of employees now receive phishing training so they can learn to spot suspicious emails. This is important progress, as most breaches start with a phishing email followed by an unsuspecting employee who opens a malicious file or clicks on a bad link. Despite this training push, however, the number of employees that can tell the difference between a legitimate email and a malicious one remains frighteningly low. That’s because cybercriminals are experts at the art of masquerading, manipulating, influencing, and devising lures to trick targets into divulging sensitive data, and/or giving them access to our networks and/or facilities.
There are two challenges at play here: employees are not taking cybersecurity seriously, and cyberattacks are getting even more sophisticated. For example, there are still far too many employees who never change their passwords, and two-thirds who still do not use a password management tool. At the same time, years of training people to identify phishing emails, avoid clicking on suspicious links, and follow best practices with their passwords have not panned out the way InfoSec professionals would have liked.
The thing is, people know they need to use complex passwords, but they still use obvious choices that hackers can easily guess or discover by simply browsing a target’s social media sites, such as their pet’s name, the name or birthday of their child, or the year they graduated from college.
The problem is not awareness – it is rooted in human behavior. Safe password practices – using long passwords with non-sensical characters and numbers, for example – take extra effort to implement. And when it comes right down to it, employees have shown that, for whatever reason, the extra effort is not worth their time and energy.
Security 101: It’s All About People, Products, and Process
The first step is to help employees feel like they are part of the security team. Helping them understand the repercussions of a security event, and how it can personally affect them, is a good place to start. Seeing connections such as these – between safe cybersecurity practices and the positive impact they feel they are making when everyone is engaged and responsible – should lead to direct improvements in how people behave when they are confronted with suspicious cyber behavior or questionable email or websites.
Next, give employees the tools they need to succeed. For example, in most organizations there is typically no easy way for employees to manage a multiplicity of complex passwords. If they choose to use a password management program, one which generates and manages complex passwords, it is only because of their own initiative.