October is International Cybersecurity Awareness Month. It is an excellent time for businesses to review their cybersecurity strategy and make some small simple changes that can result in a far greater level of safety and security.
More than 99 percent of cyberattacks rely on human interaction to work – clicking links, opening documents, accepting security warnings – making individuals the last line of defence. To significantly reduce risk, organisations need a holistic people-centric cybersecurity approach that includes effective security awareness training and layered defences.
Use of Social Engineering for Refined Phishing Campaigns
Email scamming has exploded over the past few years as attackers have streamlined, refined, and professionalised their operations. Proofpoint’s Human Factor Report 2019 highlights an increasing sophistication and prevalence of social engineering across businesses as attacks shift from smash-and-grab ransomware campaigns to well-crafted business email compromise (BEC) schemes and domain fraud. Attackers are continually refining the angle taken by their phishing campaigns, with themes varying widely by both actor and intended target, exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data.
Social networking sites have made social engineering attacks easier to conduct. Today’s attackers can go to sites like LinkedIn and find all of the users that work at a company and gather plenty of detailed information that can be used to further an attack. Additional research can be done by scanning corporate websites, publications, and other documents. Once attackers have identified an intended victim, the victim’s email account can often be easily discovered through a Google search. Attackers will mimic business routines to avoid detection, with less than 5 percent of overall phishing messages delivered on weekends and the largest portion – over 30 percent – delivered on Mondays.
Protecting Against Social Engineering Attacks
Currently, the best defence against social engineering attacks is user education and layers of technological defences to better detect and respond to attacks. Ensure your organisation has a comprehensive security awareness training program in place that is regularly updated to address both the general phishing threats and the new targeted cyber threats. Employees should be aware social engineering exists and be familiar with the most commonly used tactics. Detection of key words in emails can be used to weed out potential attacks, but even those technologies will probably be ineffective in stopping skilled social engineers.
Employees also need to have clear instructions on reporting lines should an employee believe they were targeted. Additionally, organisations should run drills on a routine basis which will contribute to awareness and a culture of identifying attacks and instituting organisational policy around reporting.
Stratium Global’s team of cyber experts can help your organisation by building a cybersecurity program, reviewing and updating your current plan, and developing your own security awareness training.
Contact us today: firstname.lastname@example.org
Analyst, Global Intelligence and Threat Analysis
Former Senior Intelligence Analyst with the FBI and US Navy with expertise in the National Security and Law Enforcement environment.