Social engineering is now the preferred attack technique of sophisticated cybercriminals seeking to break through a company’s data security system.
A 2015 report by tech trade association CompTIA found the human element was the source of more than half of security breaches. This means no matter how strong a company’s technical safeguards, people are its weakest link when it comes to protecting sensitive information.
Recent data breach highlights simplicity of social engineering tactics
As if to reinforce CompTIA’s findings, a recent data breach at a popular photo-sharing service highlighted the ease with which cyber criminals can use “social engineering” techniques to access information.
In this case, a hacker simply pretended to be the company’s chief executive and asked an employee for — and received — an email with data containing the names, Social Security numbers and wage data of 700 current and former company employees.
Social engineering tactics can sway individuals to make harmful choices
This simple request is one example of a variety of ruses criminals use to evade technical security measures and get employees to do their dirty work for them. Social engineering efforts aim to convince individuals to do the following:
- Disable or ignore security measures
- Click on malicious links
- Open documents containing macros that run malicious code
- Download files that install malware on laptops, tablets and smart phones
- Hand over valued credentials, such as usernames and passwords, to crucial systems or valuable services or
- Make wire transfers to fraudulent bank accounts under the belief they are following orders from their superiors.
Social media sites are a popular playground for cybercriminals
According to data protection firm ProofPoint, last year saw a spike in social media phishing scams. Their recent whitepaper reported that 40% of Facebook accounts and 20% of Twitter accounts allegedly representing well-known brands are, in fact, unauthorized.
They also noted the popularity of malicious mobile apps as a method of stealing information or compromising data security, with more than two billion malicious mobile apps willingly downloaded from rogue marketplaces or authorized app stores.
Companies don’t keep pace with social engineering trend
While the scope of the problem seems obvious, findings suggest companies are not taking the threat of social engineering seriously enough. Only 30% of the companies in the CompTIA survey considered the “human element” a serious concern and only 54% trained their employees on cybersecurity.
Such views, however, cannot continue as cybercriminals use social engineering as their primary attack method, making unsafe cybersecurity habits a risk to both individuals and their employers.
As hackers attempt to circumvent more advanced security technology by increasing their focus on exploiting human flaws, companies need to respond in kind.
They must invest in their employees by providing ongoing employee training to ensure individuals deploy data security measures properly throughout their organization.
Such training will not only decrease the odds of a data breach, as well as the costs associated with one, but will also improve employees’ productivity as they — and the IT department — spend less time addressing data security issues.
Thomson Reuters offers its online Data Privacy and Security training course to help reduce risk and encourage compliant behavior by educating employees on the best practices for handling data safely.
About the author
Tiffany Robertson is a practicing attorney who writes about legal issues and how they relate to compliance in the workplace. She received her undergraduate degree in International Relations from Boston University and a master’s degree in International Affairs from American University. She holds a law degree from American University’s Washington College of Law, where she was also a member of American University Law Review.