With the recent high-profile hacks that have been reported on by major media outlets, cybersecurity has taken a larger place in the public conscious than ever before. While some of these hacks were perpetrated by foreign governments against other governments, others were carried out by and against private organizations. In rare cases, these hacks were successful because someone was able to exploit existing security measures to gain access to publishing code and implement exploits from there. More commonly, however, these attacks were carried out via a much more simple approach: social engineering. Below, we’ll discuss how social engineering hacks play out, what they mean for your company, and what you should be aware of moving forward as a business owner.
What Is Social Engineering?
Social engineering is common tactic criminals use to gain access to organizations and their data. Instead of exploiting or cracking security measures, social engineering relies entirely on eliciting someone’s trust, using personal information to manipulate someone, or using an individual’s information to manipulate security measures. Through these methods, an attacker can gain access to emails, server logins, system accounts and general data—both customer and financial. Sometimes, the criminal will use social attacks to gain access to a network or database and insert malicious code to accomplish their ends.
What Does This Mean for My Company?
It means that while not all of your employees will need to have the tech literacy of an IT professional, they will need to be able to recognize the basic forms of social engineering attacks to avoid them in the future. This can be accomplished through training and reports based on potential outcomes. Employees should know best practices to avoid falling victim to a social engineering scheme, and they should understand how devastating the consequences can be for the company if they do fall victim.
What Should Someone Be Aware of as Possible Avenues for Attack?
Far and away the most common route in which someone will hack you through manipulation is via email. Some dangerous emails will look official, and some will not. Watch out for subject lines such as, “Your account has questionable activity on it”, “4th of July Hotel Deals”, “Large Corporation Monthly Bill Change Update”, and other emails that do not seem personal in any way. It is all a numbers game, and the numbers will always be in the attackers’ favor if your company isn’t prepared.
You will also want to make sure that you have the proper systems in place to ensure compartmentalization and the sterility of both office networks and business data. Attacks can happen in many ways, which means that your entire business is only as strong as its weakest link. This is especially true in a work from home environment, but it extends beyond that. If one employee gets a virus on her phone that allows access to her email, that could be all that is needed for an attacker to gain full access to the company’s systems.
For example, imagine an employee who gets a virus on their personal laptop through social media. This employee has a dedicated computer for work, but they sometimes bring their personal laptop in to the office for personal use. All that is needed is for this person to connect the infected laptop to the office network, and they could potentially infect the entire network and all devices connected to it. An interconnected network full of different devices also means that if something as simple as a printer with Wi-Fi gets infected, then without a proper cyber security plan in place you could be at risk of a total hack or ransomware. Making sure that any unapproved network access does not cripple the entire company is just as important as avoiding threats in the first place.
What Should We Do to Prepare?
If some of your employees are working from home, it’s important to institute security policy—potentially one that limits any activity that could expose them to viruses on their machine. Alternatively, a policy could be built around each individual device. It is important to run monthly tests and have reports, which are both something a cybersecurity professional can help you with. As mentioned above, another important aspect is educating your employees so that they know what scams look like and how to avoid viruses on their work computers. It may also be worth it to implement a network for personal devices and another for work devices. This way, if someone’s phone gets infected, it won’t end up infecting coworkers’ devices and by extension their user accounts.