Social Engineering 101: Building a Human Firewall

Sep 19, 2017 by Ryan Broome

spear phish·ing

noun

Sending fraudulent emails to a specific individual or department within your organization. Phishing emails appear to be from a trusted sender. Actually, they’re from cybercriminals attempting to steal confidential information.

Not so long ago, the CFO of a large enterprise received an email at work from another member of C-Suite. It looked exactly like any other corporate email. The sender’s name was spelled correctly; the body of the email and signature looked normal. The message (professionally written) referenced a new project underway and instructed the CFO to wire 1.2 million dollars to a bank in Barcelona. It also confirmed that the usual chain of command signed off on the transfer.

A bank in Barcelona? This struck the CFO as odd. She picked up the phone to call the person who sent this email, and sure enough — they had no idea what she was talking about.

91 percent of cyber attacks begin with a phishing email just like the one in this story.[1] How did the cybercriminal gain access to emails and private information?Each executive’s name, title and email address was listed on the company website. All it took was one phishing email to fool one employee; and the criminals gained access to all the information they needed to pull off a convincing heist.

The single greatest threat to your IT security…is your people.

Building a Human Firewall

A common gut reaction to cybersecurity threats is to invest in better security hardware and software. It’s not an entirely wrong approach. But you can throw thousands of dollars at the latest antivirus software or intrusion detection system. It won’t save you from sophisticated new cyber-attack methods if your employees aren’t properly trained.

Case in point, a 2016 study sent phishing emails and Facebook messages to about 1700 test recipients (unbeknownst to them). These individuals indicated in a survey that they were aware of risky emails. 78 percent of the test subjects clicked anyways.[2]

Security is a multi-faceted issue. But protective measures must begin with the people if technology is to effectively reinforce your organization’s private information. Social engineering is the act of changing the behavioral responses of your employees to security threats through simulation testing and awareness training. As a result, your workforce becomes what we like to call — a human firewall.

  • Start with a baseline test. Conduct a simulated phishing attack on your workforce to assess the vulnerability percentage of your users. Be prepared — the percentage of clicks will likely shock you.

     

  • Train your users. We aren’t talking about luncheon lectures and video presentations, folks. You need interactive training that exposes your workforce to common traps, live demos, scenario-based exercises, and ongoing discussions about security trends, tips and best practices. 

     

  • Conduct random ongoing testing. Make simulated phishing attacks a regular part of your security routine. Address users who continually fall for the trap and provide remedial training to improve cybersecurity awareness.

     

    Rounding Out Your Cybersecurity Strategy

    In addition to social engineering, you must also address your administrative, technical, and on-premise controls.

    Update Administrative Controls And Policies

    Here’s a checklist of administrative items to secure:

    • Proper licensing of all technologies. By proper, we mean a plan that includes essential security features (not the cheapest available tier).

       

    • An employee exit strategy. People must be closed off from internal information the moment they are terminated or leave the company. Otherwise, they can use a mobile device to access systems and accounts.

       

    • Establish access controls. Only give the bare minimum access each employee requires to do his or her job.

       

    • Create policies for email. Policies should include best practices, expectations, and a protocol for dealing with suspicious emails.

    Assess and Establish On-Premise Securities

     This may include:

    • Updating your office security system.
    • Installing key-card access systems at main entrances.
    • Issuing access-control badges to employees and authorized contractors.
    • Ensuring that important documents, personal information, files, spare keys, etc., are properly gated.

    Assess and Establish Technical Securities

    • Ideally, you want a combination of the following technological securities:

    • Email filtering (cloud-based or hardware application)
    • Content and web filtering (note: this requires costly licensing and a robust firewall)
    • Integrative end-point and email security (malware, leak prevention, realtime analysis, anti-spam, etc.)

To recap, proper cybersecurity is a trifecta of strategies. Begin with baseline testing to determine the extent of your risk. Develop routine training that evolves as cyberattack methods do. Many organizations focus too heavily on the technological side of security, but administrative controls are equally as important. A final piece of advice — work with a managed services provider to ensure these strategies adequately align with your business goals and security needs.



 

[1] HIPAA Journal

[2] Friedrich-Alexander Universitāt

Load more comments