You can take every step to protect your business – using the latest anti-virus software, encrypting files and data that are stored in the cloud, strictly managing user permissions. But all it takes is a single well-worded social engineering email being sent to the wrong person, and all of those efforts can still see you falling victim to an attack.
2015 marked the first year that social engineering attacks outnumbered attacks on software vulnerabilities and exploits, and since then their prominence of the attacks has only grown. Attackers have found that they can gain more access from tricking people into trusting them, with far less effort, than they could by infiltrating software.
Why Are Social Engineering Attacks So Dangerous?
When an attacker gains access to your systems through a bug in your software or apps, their access to your information may still be limited, particularly if you have strong permission management in place. If they attempt to access any files or data, you’ll be alerted to unusual activity, and will have the opportunity to protect your systems and prevent a data breach.
When one of your team members falls for a social engineering attack, on the other hand, the attackers have the opportunity to gain far more access, and to fly under the radar while doing so.
Say, for example, an attacker tricks one of your employees by pretending to be a colleague, or even pretending that they’re you. Susan in Accounting gets an email, asking her to just double check the invoice attached. The email says it’s from you, asks how she’s found being back after the holiday she’s just been posting about on Facebook, and has your signature at the bottom. Nothing out of the ordinary. She doesn’t think anything of it, clicks the attachment, and the malware that the ‘invoice’ contained gets installed on her machine. It tracks her emails, her online activity, her keystrokes and user credentials, all of which the attacker can use to gain access to your systems.
Let’s say that the attacker then tries to access your company files. They’ve logged in as Susan, which means that their activity will look like it’s Susan trying to download or transfer files. Is that really all that unusual? It might raise a red flag, but it also might go completely unnoticed.
And once an attacker has access to Susan’s email credentials, they can send out further emails, all of which are coming from her address, to colleagues, vendors and more. They may even intercept the invoices that Susan sends to your clients, simply replacing the invoices with attachments of their own with only the banking details differing.
And all because Susan thought she was doing you a favour and checking whether an invoice had been paid. All because she fell for a single social engineering attack.
Just like phishing, spear phishing and whale phishing, some social engineering attacks are general, trying to trick anyone that they possibly can. Others are targeted at specific individuals, likely those that share a lot of details about their personal lives on social media. And then there are the social engineering attacks that target high-level executives like CEOs and CFOs, knowing that they are the most likely individuals to have maximum access, giving the attackers the biggest opportunity to cause harm and get a great payday from your company.
But the link in the chain here, is that the people targeted by social engineering attacks are your humans. Not your software. Not your hardware. They aren’t trying to hack passwords. They are using the weakest link that your company has – your human resources – to gain access. Because humans are… well, human. They make mistakes. They click on links that they shouldn’t, open attachments, use passwords that are easy to remember but aren’t necessarily all that secure.
As I said, you can have the best security software in the world. But when your people don’t understand the role that they play in keeping your business secure, your company is very vulnerable to social engineering attacks.
How Can You Protect Your End-Users?
They may be the weak links in your security chain, but there are steps that you can take to protect your humans against social engineering attacks.
Conduct Regular Training Sessions
One of the most common causes of data breaches is human error, and social engineering relies on your humans making errors. By training them to recognise suspicious mails, helping them to understand what they should do if they’re unsure of whether a mail is from a colleague or a potential attacker, and running seminars on how your teams can protect themselves and your business in turn, you will be strengthening your company’s IT security, and reducing the risk of a social engineering attack.
It may also be worth running a seminar on social media, the importance of privacy for their sake and yours, and what they should and shouldn’t be posting publicly.
Implement Multi-Factor Authentication
Multi-factor authentication (MFA) is one of the best tools in your arsenal when it comes to access management. When you’re using MFA, password security becomes less of a priority. Because, frankly, you don’t need to worry too much about a password becoming compromised when your data is secured by tokens sent to cellphones or fingerprint analysis as well.
I’m not saying don’t encourage your humans to be careful about the passwords that they use. They absolutely should be! But by implementing MFA, you are adding an extra layer of protection that an attacker on the other side of the world is going to find very difficult to infiltrate – especially if they have a secure password to hack as well.
Use Microsoft Defender For 365
One of the (many) amazing things about Defender for 365 is that it actively helps to protect your business emails against phishing and social engineering attacks. You can run training simulations, where you send your employees a suspicious mail, and see how they respond. If they click on the link or attachment within, instead of putting your company at risk, Microsoft will help to train them in how they should have responded.
On top of that, Microsoft Defender also warns users when they are about to click on what might be a suspicious link, and scans attachments in the background before they are downloaded to your employees’ computers, making it less likely that they will fall for a social engineering attack, or making them think twice before just trusting the sender.
And don’t get me wrong, it’s not just email security the Defender for 365 focuses on. It’s just as useful when you’re using it, for example, in Microsoft Teams for finance businesses, since it scans links in Teams as well to ensure that they are legitimate.
Secure Your Domain
While anyone can change the name of the sender in an email to anything they like, and can use your signature even if they aren’t from your company, you can make it more difficult for them to use your domain name itself, which adds a layer of protection to your company’s email security.
There are SPF records, which specify the IP addresses that your emails are going to be coming from, marking emails that claim to be from you, but aren’t from those IPs as spam.
There are DKIM records that prevent email tampering, making sure that the email you send is the one that your intended recipient gets, reducing the risk of attachments being switched out enroute.
There’s also DMARC reporting which checks incoming mail to ensure that it’s from a legitimate source.
And if you need some help with putting these email security measures in place, I have great news for you – our friends at Sendmarc have all the tools you need, specialising in providing tools that not only report your domain’s reputation, but also help you to improve it.
Want to schedule a meeting with Solid and Sendmarc? Book some time in my diary, and let me know.
How Can Your Humans Help You To Avoid Social Engineering Attacks?
On top of putting systems in place within your business to protect your humans, it’s important that your people understand the role that they play in protecting your company as well. It is, after all, a two-way street.
Rather than going into each and every way that your team members can protect your business, I thought I’d point you in the direction of a checklist we’ve put together to help employees maintain great personal cyber hygiene – practices that can help them to protect themselves online, keep their personal data safe, put security routines in place and keep their personal devices up to date.
You (or they) can download the checklist anytime you like from our resources page.
What Role Does Solid Systems Play?
At Solid Systems, we’re all about keeping your business as safe and successful as possible. It’s why we team up with partners like Sendmarc to offer email security solutions that protect your users. It’s also why we offer cybersecurity training sessions, IT audits, compliance audits and so much more.
When your business is protected against social engineering attacks, you’ll spend less time worrying about security, and more time focussing on the areas of your business that mean the most to you, and are going to ultimately make you more money.
If you’re ready to see how we set ourselves apart from other IT companies in South Africa, get in touch with our IT pros and we’ll show you the difference.