Companies are basing their security on technical aspects and forgetting about user education. This opens an immense and dangerous door to the risks posed by social engineering.
The large volume of cyberattacks in recent weeks has had great media coverage, but it should not be surprising. Despite the constant warnings issued by information security consultants and specialists, companies are more vulnerable than they believe they are. And social engineering is one of the biggest risks they are not yet prepared to face.
Social engineering refers to a set of techniques that use personal investigations, persuasion tricks and other psychological resources to exploit vulnerabilities in the security architecture of companies, facilitating the use of mechanisms such as phishing or ransonware. The most fertile environment for this manipulation are social networks, where it is possible to know people’s routine and preferences, and then use this information in order to induce them to adopt malicious behavior.
Brazil is among the largest consumers of social networks in the world. Some studies point to an average connection time to networks of three and a half hours a day, while others speak of up to five hours. Despite the divergence of data, there is no doubt that Brazilian exposure to this digital environment is significant, with proportional vulnerability.
LinkedIn poses a greater risk, as people there expose where they work and the positions they hold. This allows criminals to send more targeted messages. However, other networks, such as Instagram and Facebook, also make room for discovering employee interests and preferences. For example, it is quite simple for a cybercriminal to identify that a particular contributor enjoys golf, and then send a message announcing “golf club promotions” or the like, with the intention of hooking that user into a malicious action. Check this blog to learn about ways to protect against cyber criminals.
Such risks would be lower if corporate governance rules were more respected. But the facts prove that the reality is far from that: even the most conscientious users are not alert 24 hours a day, what about those who have not received the proper guidance. We recently conducted a simulated phishing at a company and had as many as 90% of users clicking on a malicious link.
Even if the company employs good anti-fraud features, has good firewalls and a sophisticated security architecture, all this will be of little value if the malicious message is accessed on the corporate equipment from a private email. This is the biggest vulnerability for ransomware attacks.
Just the law is not enough
The need to educate the user is imperative, but this does not imply increasing the severity of punishment for those who find themselves victims of these techniques. In fact, there is very little to be done in terms of punishment, as there is no malice on the part of the employee in triggering that malicious code – they are culpable actions, different from an intentional data leak, for example. Encouraging a heavier reprimand for this type of slip can even de-characterize the work environment, creating an acidic atmosphere, full of prohibitions and inhibiting innovation.
However, the mindset needs to change. A perfect example of the mistake made by most companies was the first phase of adaptation to the LGPD. This movement took into account more the legal aspects than the technical ones. Companies worried about terms and consents, and the IT side got a bit renegade. There was not so much concern about access control, IT security and other technological issues, which can minimize the risks.
In addition to investing in awareness of changing habits, companies should also be concerned with mechanisms that can increase security, such as desktop virtualization, also known as VDI or DaaS (Desktop as a Service). This concept allows for greater separation of personal and corporate work environments and ensures the least possible impact on data security. The measure brings a notable security gain, especially when applied to employees who enjoy greater access power.
Information security is not done by reactive actions, but by preventive ones. There are still companies that do not invest enough in protection, considering that the risk of legal repercussions is low. They are doubly wrong: they put themselves and their clients in a vulnerable position, and they are subject to fines and TACs (terms of adjustment of conduct) that can have literally millionaire costs – as has often happened in recent cases.
In addition to the damages already mentioned, there are two other important damages. The first is the image impact, which depending on the business, can be irreparable. And the other is the stoppage of the operation, essential to contain the effects of an attack.
Technology has become a strategy for business – and also for crime. Therefore, companies need to change their approach, seeking to create a culture of security, not least because the responsibility for protecting data belongs to everyone who deals with it.
Cyber Tactics
There are a lot of cyber tactics criminals use to gain access to company systems and data. One of the most commonly used techniques is social engineering – which is when a cybercriminal tricks someone into revealing confidential information.
There are a number of ways that companies can protect themselves from social engineering attacks. One way is to have robust policies in place that forbid employees from sharing confidential information without proper authorization. Another measure is implementing multi-factor authentication, which requires two or more methods of authentication from different categories that verify a user’s identity to log in. One of the benefits of multi-factor authentication is having a layered defense that makes it harder for an unauthorized individual to gain access to any sensitive information, like personally identifiable information (PII) and protected health information (PHI). Another way is to install security measures such as biometric authentication or virtual private networks (VPNs).
Companies are also increasingly using artificial intelligence (AI) to identify potential threats and prevent them from happening in the first place. For example, AI can be used to scan social media profiles for clues about who a person might want to target, or it can be used to monitor employee chat logs for signs of suspicious activity.
Conclusion
Social engineering is one of the most common cyber-attacks, and companies need to be prepared to protect themselves from it. By implementing policies that forbid employees from sharing confidential information without proper authorization, installing security measures such as biometric authentication or virtual private networks, and using artificial intelligence to identify potential threats, companies can minimize the risk of being attacked.