With social engineering now a bigger threat to businesses than hacking, spamming or DDOS attacks, Jason Fry – Managing Director at PAV i.t. services – a company that works with clients across the UK providing technical solutions including training to prevent hacking and data security breaches – discusses how businesses can safeguard themselves from falling foul of cyberattacks
With UK firms losing £18 billion in revenue from cyberattacks in 2015 alone, and 90% of major businesses experiencing a security breach in the past year, digital threats are becoming more and more of a challenge for companies and their clients.
However, one of the most prevalent threats currently facing the business community is human naivety in the face of increasingly sophisticated and elaborate social engineering scams – a series of con technqiues designed to extract key information from unwitting individuals. It’s no longer about simply obtaining banking or credit card details but gathering the right information to enable fraudsters to dupe their targets in a more intricate and elaborate way.
Inadequate email protection
The most vulnerable area for companies is the loss of information through either the neglect or inadequate protection of email when collating customer information, which makes accessing information all the more easy for fraudsters. If scammers are able to gather this information they can use it to dupe customers for monetary gain via ‘spear-phishing’ – a process used by a fraudster which involves imitating emails so recipients believe it is from someone they know.
One of the more popular examples of such a scam is when companies require a deposit for a product or service and are conducting the majority of their business over email. Fraudsters will replicate an email in the guise of the company to ask the customer for a settlement fee. As far as the customer is concerned, because the email appears legitimate, and contains information that is factually correct, they have no reason to question its plausibility and can be tricked into willingly transferring funds to the fraudster. The customer is none the wiser until a bonafide sales consultant contacts them directly requesting payment, at which point it is too late to rectify and retrieve the money – not a good advertisement for any business.
This isn’t an uncommon scenario and one that can cost businesses dearly in both financial terms and reputational damage. The consequential fallout from the loss of trust from customers can have a huge impact on a businesses’s bottom line so ensuring a company has the right protection in place, which is regularly reviewed and updated, is paramount to them protecting themselves. Businesses can reduce the risk further by making customers aware of how they will carry out transactions during the sales process.
Employee awareness and education
The weakest link for the majority of businesses tends to be employees who have received little in the way of training to spot the potential pitfalls of online scams, or are simply unaware of the techniques used by social engineering fraudsters.
Both companies and their customers need to be educated about the issues which arise from human naivety. Employees most at risk because of the nature of their job, such as staff able to authorise payments or cash transaction should be operating a two layer authentication process to help eliminate breaches – a username and password and the additional backup of a randomly generated personal identification number (PIN) for every new transaction they process.
Furthermore, employees should not be able to access applications using a ‘group’ password as this leaves businesses wide open to any cracks they may have in their security protection policies.
Password policies need to be rigorous and passwords should be updated frequently using a variation of letters, numbers and characters to ensure they aren’t weak. Default passwords, or using the same passwords for numerous applications, should be avoided.
Adequate email protection
Using employee data from easy to obtain information sources such as LinkedIn can make it incredibly easy for fraudsters to gain access to company emails. This is particularly the case in large groups, where employees aren’t immediately recognisable to management and scammers can impersonate a member of staff ‘working from home’ in order to extract sensitive information, such as passwords, over the telephone. Alternatively they aim to dupe lower tier staff using company hierarchies by sending emails requesting data whilst posing as senior management.
Businesses can reduce their exposure to such risks by ensuring end users are only able to access the data they need and immediately removing access to systems the moment someone in the business leaves.
Sharing experiences
Businesses would benefit greatly from an online community where they can share their experiences of cyberattacks and security breaches and get peer to peer advice to learn, benefit and reduce the likelihood of an attack. There is no doubt that numerous organisations have fallen victim to cyberattacks, security breaches and scams, but unfortunately the subject still remains much of a taboo amongst business communities that don’t wish to admit to falling foul of a security breach.
Upcoming threats
Fraudsters are becoming more and more adept at formulating intricate and complex ways to infiltrate and breach data. Although security software will help ward off potential threats, fraudsters will always aim to be one step ahead so individuals need to keep their wits about them to avoid any unpleasant surprises.
Ransomware – a form of malware, which typically propogates itself as a trojan, systematically encrypting files on a system’s hard drive, rendering it impossible for users to access or unlock devices without paying a ransom – is predicted to be a major upcoming threat to businesses, as well as the wider economy, with the potential to cause unprecedented disruption.
A robust security policy needs to not only include the traditional protection of systems, such as anti-virus and firewall software, but also iron clad processes should be adopted and communicated effectively to staff to prevent information from being leaked and to reduce the likelihood of customers becoming victims of duping scams.
Companies who aren’t fully prepared for the extremity of cyberattacks are extremely vulnerable to suffering a security breach and should seek professional advice to ensure that their data and systems are properly safeguarded.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.