Social engineering efforts, such as so-called “phishing” emails, are likely being used for unauthorized access to a corporate network – perhaps yours or one of your partner’s – as you read this. Herewith, why this threat matters so much, and what you can and should do now to protect your users, your networks, and your business.
Social engineering – what you need to know now
- As hackers, thieves, beleaguered users, and their enterprises seem to discover every day, the easiest way to gain unauthorized access to a network is not via hacking or malware. The easiest way is to lie to an authorized user. “Social engineering” is the euphemism used to describe this approach.
- The most common form of social engineering is the phishing email. A legitimate-looking email pretends to come from a colleague or a superior, or to confirm an order or receipt of a job application. It asks the recipient to download a file, click on a link, transfer funds to a designated account, or to go to an official-looking web page to fill out a form with personal, private, or proprietary business information.
- The result? Malware or ransomware infects the gullible user’s computer, then propagates itself across the enterprise network. Or the funds are actually transferred to thieves instead of customers or colleagues. Or the personal, private, or proprietary information is used to gain access to the network, steal from the enterprise, or both. Or its sold on the dark web and used to open and run up charges to fraudulent credit accounts. Or some combination of all of these.
- Phishing emails fool legitimate users at home or at work, and at every professional level. The 2017 edition of the widely cited and well-respected Verizon Data Breach Investigations Report found that one in 14 users “were tricked into following a link or opening an attachment — and a quarter of those went on to be duped more than once. Where phishing successfully opened the door, malware was then typically put to work to capture and export data—or take control of systems.” Further, the study found that 95 percent of phishing attacks that led to an actual security breach “were followed by some sort of software installation.” That is to say, ransomware or some other type of malware.
- Phishing is not the only way social engineers and hackers gain access to networks. The same Verizon study found that “81% of hacking-related breaches leveraged either stolen passwords and/or weak or guessable passwords.” As DarkReading reported in December 2017, Password management firm SplashData took a look at some five million stolen and hacked passwords found online. The 10 most popular, in order of their popularity? “123456,” “Password,” “12345678,” “qwerty,” “123345,” “123456789,” “letmein,” “1234567,” “football,” and “iloveyou.” Doesn’t take much effort or intelligence to guess a working password correctly when users are this bad at selecting passwords.
- However they happen, breaches are disruptive – and expensive. The IBM-sponsored 2017 Cost of Data Breach Study by the Ponemon Institute found the global average cost of each data breach to be US$3.62 million. The average data breach studied involved more than 24,000 lost or stolen records, with a cost of $1.41 each. The same report estimated “the likelihood of a recurring material data breach over the next two years” at each organization studied at 27.7 percent, a 2.1-percent increase over 2016. And the study found that it takes organizations an average of 191 days to identify a data breach, and 66 days to contain it.
Social engineering – what you need to do now
If you have tools and processes in place to enforce them, you need to invoke strict rules about files and file types that are allowed to and forbidden from entering or traversing your environment. You need to take similar steps to ensure that user passwords are robust and regularly updated. If you have no such resources, at the very least, now is the time to implement processes intended to govern file access and password management, and to consider acquiring helpful tools.
Another step worth taking? User education about phishing and bad passwords. These efforts should include dissemination of lists and articles related to bad passwords, periodic sending of simulated phishing emails, and timely reporting of discovered phishing threats.
DarkReading reported in December 2016 that a study conducted by phishing defense solutions vendor PhishMe found that susceptibility to phishing attacks “drops almost 20% after a company runs just one failed simulation.” That same study found that timely reporting of phishing threats “can reduce the standard time for detection of a breach to 1.2 hours on average – a significant improvement over the [then-]current industry average of 146 days.”
Your users can be your cybersecurity’s weakest link, or your IT environment’s first line of effective defense. Even without investment in additional cybersecurity solutions, you can improve cybersecurity significantly by engaging and educating those users. User education about cybersecurity could even create opportunities for collaborations between IT and marketing teams, to help to promote those education efforts. After all, anything is possible…
Latest posts by Michael Dortch (see all)
- Venafi: Bringing Identity and Access Management (IAM) to Machines - December 11, 2018
- Data Analytics Leader Yellowfin BI Delivers on New Visions of Data-Driven Decisions and Stories - November 27, 2018
- IBM Buys Red Hat: Analysis and Opinion - October 31, 2018