Cybersecurity and risk department leaders can invest in all the best cybersecurity tools but if they’re not focusing on securing their own employees, they’re opening themselves up to a major security gap.
Employees often have access to company secrets, its most critical and sensitive files, and access to databases and servers that, if compromised, can result in an organisation being disrupted to the point of being unable to perform their services.
Unfortunately, the average employee isn’t a cybersecurity expert and they may not even be aware that they have access to sensitive information. This may result in lax security measures or a willingness to fall victim to a social engineering attack designed to prey on their lack of knowledge.
It’s this combination of access and relative unawareness that make them the perfect target for malicious hackers and bad actors. This is why employees are often the most common targets and are usually hit with social engineering attacks that can lead to compromised organisations and assets.
In 2021, social engineering attacks increased 270%, largely due to the expanded use of cloud-based services. Because critical files and data are no longer housed within a company’s own servers, hackers know they’re more likely to succeed with social engineering attacks that give them access to employee accounts.
We’re going to discuss what social engineering attacks are and how you can reduce the risk of these attacks compromising your organisation.
Social engineering refers to a set of attacks and methods that result in a compromised employee, potentially without their knowledge. Social engineering attacks are usually the first attack a hacker deploys in order to further damage an organisation. Through social engineering, malicious attackers may be able to drop ransomware in an environment, reach customer data, or exfiltrate trade secrets.
Social engineering takes a number of forms and can vary from high to low sophistication in terms of the kind of technology or methods utilised. Here are a few examples
Social engineering is dangerous because it relies on trust and urgency and pushes the victim to take actions brashly or without double-checking its validity. Business Email Compromise attacks are often successful because of social engineering. These are attacks that get a victim to send money to an attacker. The attacker pretends to be the CEO, CFO, or even a potential vendor with a fake invoice. Because of the pretext, impersonation, and the fact that communication is occurring through work emails, a victim believes the request is true. Over a three-year period from 2016 to 2019, BEC attacks led to $43B in losses.
“Social engineering is dangerous because it relies on trust and urgency and pushes the victim to take actions brashly or without double-checking its validity."
Because of how personal social engineering attacks are and the various channels the attacks use, there’s no one way to defend against them. However, with a mix of process, policy, and technology, you can mitigate the risk of these scams compromising your employees.
Security awareness training is one of the most helpful tools to help employees spot all kinds of attacks and any program you enroll your employees in should focus on social engineering attacks that leverage non-traditional channels.
However, you should also implement specific policies that detail:
1) What an employee should do if they come across a suspected social engineering attack. This elevates their awareness of attacks and also might alert them to spearphishing or other targeted threats your organisation might be facing. This will help you prioritize and take action to minimise the risk of compromise.
2) The process for certain actions and communications within the organisation. Making it clear that communications happen through official channels and that, for example, a wire transfer requires specific authentications or validations will stop an employee from thinking a fake text from the CEO is enough to take a potentially dangerous action. Being clear about processes will help employees spot strange requests or phishing emails.
Hackers target employees because they know they have access to sensitive files and databases but if you’ve engaged in identity access management, employed a zero trust model, or use the principle of least privilege in your organisation, you can reduce the amount of risk the average employee has.
Identity access management defines access on a role-by-role basis and ensures employees have access to specific data if their function requires it. The principle of least privilege takes this a bit further and aims to limit critical data access as much as possible regardless of the role or risk. Zero trust is one of the most limiting principles. When it comes to employee access, zero trust, as the name implies, assumes a compromise and requires validation at any point of access.
Ideally, you’ll adopt a mix of these strategies that effectively balances security without compromising on productivity.
Awareness and visibility of your environment is needed to detect whether your data is compromised via a social engineering attack and to ensure any access limitation or identity management system you’ve put in place is comprehensive. If, for example, you’re unaware that the sales department has access to sensitive finance or HR docs, then your access management implementation might skip over that, leaving a significant security gap.
By focusing on asset and data visibility, you’re making your additional security controls that much more comprehensive while also giving your strategy an opportunity to scale with your organisation as you add more employees, vendors, and expand your infrastructure.
Security leaders can take advantage of data and asset visibility tools like Metomic to help improve their security controls against social engineering attacks. Metomic integrates with SaaS apps to give you comprehensive visibility of where your data lives and who has access to it.
This allows you to limit critical data access and also detect any anomalous behaviour that might be the result of a social engineering attack or other form of security compromise. Metomic can help you spot various indicators of compromise while also alerting you to sensitive files that employees shouldn’t have access to or that shouldn’t belong in the first place.
Examples include having PII on publicly available GDrive folders or all employees having access to sensitive data via an insecure channel. Knowing if a user is exfiltrating a huge amount of data, accessing servers during off hours, and making multiple access attempts on databases they shouldn’t have access to are all potential signs of a compromise. Being able to have visibility into these actions can help you act quickly.
Metomic can help improve your entire environment visibility, which will help improve all your security efforts, controls, and help defend against social engineering attacks.
To learn more or book a free risk review, check out Metomic here.