When it comes to security breaches, you would assume that it’s the machines that fail at their job. In reality, according to the 2018 Data Breach Investigations Report, social engineering attacks—a fancy name for ill-intentioned psychological trickery—are three times more likely to result in a breach than a hacking attempt.
Out of 53,000 confirmed attacks this year, most (78%) used malware and other hacking tactics to get access to a company’s database. These attacks primarily targeted weaknesses in the business’s network security. However, those types of attacks are rarely successful. In fact, out of 2,216 successful breaches, the vast majority were caused by human error.
Social engineering attacks are widely effective, and the major reason for that is lack of knowledge and awareness about the internet and the digital space. Let’s be fair—many people are still familiarizing themselves with digital technology and may step on traps that any Gen-Z iPad-kid would spot from miles away.
For example, one of the most common and effective types of social engineering attacks is called phishing. Phishing, in its essence, is an attempt to get someone to click on a link that takes the user to some covert website (that looks fully legitimate), designed to lure out your personal or financial information. According to the report mentioned above, 96% of phishing attacks come in the form of a shortened URL through email. Frequently, such emails have spelling and grammatical errors.
And yet, as trivial and obvious as such attacks may seem, phishing sees a lot of success. Just like our parents have taught us “not to walk in the dark,” it seems like it is our turn to teach them “not to click on suspicious links from unrecognized sources in your mailbox.”
Types of Social Engineering Attacks
Most social engineering attacks rely purely on a lack of awareness on the victim’s part. Once the victim is trained and is aware of what types of attacks can happen and the forms they take, it drastically reduces the options for malicious parties.
Pretexting is another popular form of social engineering attack. In pretexting, the attacker impersonates a certain authority or a partner to ask for bits of personal information from your employees or customers. Ironically, in pretexting, the attackers often impersonate representatives of your external I.T. company to call a key link in your security chain—e.g., security guards—trying to gain security information or access.
Keep in mind that these types of attacks can be used against your company as well as in the name of your company. Attackers might not be interested in your internal company information, but they might pretend to be a representative of your firm and target your customers.
Baiting—a first cousin to phishing—is virtually the same ol’ “click on the link” type of an attack, only that it uses a certain “bait”—a free download, or an exclusive offer—to lure their victims.
It is fairly obvious from the definitions of these attacks that they can be easily prevented. Most social engineering attacks target the uninformed, the unaware. Almost every socially-engineered breach could be avoided by simply not clicking on the link!
Security Education Might Be the Best Investment for Your Network Safety
If you’ve been considering getting an upgrade for your company’s data integrity and network security, you should, first of all, consider employee security training. Most likely, it’s going to be a decision that pays high dividends.
Small and medium-sized businesses should be worried the most. According to the Data Breach Investigations Report, 58% of data breach victims were small businesses. It’s no surprise, really: tactics like tailgating (e.g., an attacker, disguised as a delivery driver, asks someone to “hold the door” then follows them into the office) simply cannot work in a corporate environment, where all members entering the offices are required to swipe their cards.
Smaller companies are also easier to scout. Social engineering attacks are based on familiarity and the appearance of trust. People don’t click on links they find suspicious—but the fact that they click on malicious links means they don’t find them suspicious. Naturally, the best way to create familiarity is to have as much information as possible about the victim prior to the attack. If someone on the other side of the phone knows your full name, address, workplace, and email they’ve bought themselves a lot of legitimacy through knowledge.
In terms of industries, the ones that keep the most information (and the more sensitive, the better) are primary targets. The healthcare industry knows this all too well: 24% of all breaches occur in healthcare companies. Successful data breaches are used to both blackmail the healthcare practices and to con the clinic’s patients through impersonation. Both scenarios can leave the healthcare institution’s reputation damaged severely; sometimes, irreversibly.
Hospitality and food industries are also at risk, for the very same reason. Where there is personal information, there is motivation for attackers.
Not all breaches happen for customer data. The Data Breach Investigations Report estimates up to 13% of attacks act as a means of corporate espionage: a way to get a competitive advantage through insider know-how. The manufacturing industry is notorious for suffering from this type of attack, accounting for 18% of all breaches.
Lastly, when considering the need for better security training, take the human factor into account. How would you evaluate your company’s level of digital sophistication? What is the average age for your employees? Those accumulated years of wisdom can bring great value to your organization, but they also may leave some employees less well prepared for the new technological age.
If you’re worried about the security of your company and the integrity of your data, give us a call, and we’ll help you find a way to strengthen your walls and train your army. You can reach us by calling 844-44-JMARK, or sending an email to [email protected], or just get in touch through the Contact Us page of this website. We want to hear your story and understand your challenges, truly.
