How to prepare for cyber attacks before they happen

Cyber criminals want your information and your money ― both, if possible.  Confidence scams are as old as human history, but in the modern age, they increasingly involve technology in an attempt to gain access to your computer systems, your information and, ultimately, your money.   Cyber security professionals refer to these scams as social engineering attacks – using technology to facilitate the scams and take advantage of the natural human nature to trust. 

The most prevalent technique most of us are familiar with is the use of “phishing” emails.  Phishing attacks are emails designed to get you to click on a link, launch an attachment, call a phone number or make contact with a con artist.  But did you know Social Engineering can involve phone calls, fake web sites, emails targeted at specific personnel and even physical activities?  If you research Social Engineering, you will see terms like:

• Spear Phishing (targeting specific individuals)
• Shoulder Surfing and Tailgating (bypassing physical security controls)
• Pretexting (invented scenario to take advantage of the victim)
• Baiting (offering something they cannot resist)
• Quid pro quo (helping someone solve a problem, while taking advantage of them)
• Credential Collecting Site (fake site tricking the victim into entering their credentials)
• Ransomware (malware that holds your data hostage until you pay the ransom)

Some of these are petty criminals looking to make a quick buck by stealing your credit card information, selling your identity, or charging you for fake merchandise or services.  The really dangerous criminals want access to your organization’s network, computers and applications so they can steal a large number of records, trade secrets, intellectual property or conduct major fraud. 

Most of the major breaches reported in the press during the last three years can be traced back to a social engineering attack.  In each case, the Social Engineering effort resulted in some access to the victim’s network, computers or applications.  The attackers used their foothold to gain access to additional confidential systems so they could identify targets, collect data and exfiltrate the data from the victim’s environment.  Once the attackers have the confidential data, they sell it to criminals, ransom it back to the victim or use it to publicly embarrass the victim.

If major retailers, entertainment companies, healthcare organizations and service companies with millions of dollars invested in technology can be compromised, what can smaller organizations do?  Lots, actually.  Technology is a great tool if used appropriately, but social engineering is based on taking advantage of human trust, and often smaller organizations have an easier time addressing training and trust issues.  Here are a few ideas to reduce the risk from social engineering:

• Knowledge – Understand your environment, what sensitive data exists in the environment, who has access to it and how it is protected.
• Internal Controls – Implement internal controls to protect your financial systems from fraudulent transactions, or at least detect them if they occur.
• Training – Take time to train your team about social engineering.  Not just the daily phishing emails, but all forms of social engineering and who/how/when to report suspicious activity.
• Culture – Encourage a culture where it is ok to report potential attempts – even the “I may have clicked on something” reports, so you can reinforce training and identify issues early.
• Technology – Many technology solutions exist to help with everything from inspecting emails for attachments and links, blocking connections to malware sites, requiring strong authentication and logging security events.The key thing to remember is that technology is part of the overall solution; there is no silver bullet.
• Vigilance – Make the effort to evaluate your security, test user knowledge and assess the people, process and technology environment on a regular basis to determine where updates, changes or new solutions may be needed.  An ongoing process is critical to maintaining security.

Technology advances continue to break down geographic barriers, enable new business opportunities and improve our efficiency, but they also increase our risks.  Social engineering attacks take advantage of the technological advances while exploiting the weak points in our defenses, our people.  The threats are present, the risks are real, so address them using the appropriate combination of the recommendations above that fit your environment.  While there is no silver bullet, there are many ways to reduce the risk for your organization using the right combination of people, process and technology.