Cyber Insurance Basics: Combatting Social Engineering
Social engineering encompasses a broad range of activities to trick users into giving away sensitive information or making mistakes. Rather than looking for a software vulnerability, cyber-criminals exploit human vulnerabilities instead. According to a report by security firm Barracuda Network, an organisation is targeted by 700 social engineering attacks each year, on average. Types of attacks include:
- Phishing. Phishing attacks often involve an email or text message pretending to be from a trusted source asking for information (eg an email, supposedly from the bank, asking for security details).
- Pretexting. Criminals use pretext to gain attention before they discharge their cyber-attack (eg an internet survey that hooks the reader and then proceeds to ask for personal information).
- Quid pro quo. Criminals rely on people’s sense of reciprocity, with attacks offering something in exchange for information (eg a cyber-criminal offering to urgently update a supposed security problem with the victim’s software, pressuring the victim to act).
It’s vital for organisations to know how to prevent social engineering attacks. Consider these tips:
- Instil a positive security culture. If an organisation falls victim to a social engineering attack, it must be quickly contained. Foster a culture where staff are encouraged to report incidents immediately.
- Be suspicious. Remind staff to always act with caution. It’s essential to be suspicious of unsolicited communications and unknown people and to check whether emails have genuinely come from their stated recipient. Additionally, employees must think carefully before providing any sensitive information.
- Train staff on social triggers. Train staff on the tactics cyber-criminals use, including masquerading as trusted entities and creating a false sense of urgency to confuse victims.
- Test training effectiveness. Once staff have been trained, consider conducting a simulated phishing attack. The results will indicate who needs additional training and give a better analysis of cyber-risk.
- Implement cyber-security measures. Review technological cyber-security measures. These could include antivirus and anti-malware programs, regular software updates and penetration testing. Additionally, consider making two-factor authentication—requiring two forms of credentials—mandatory for staff to access services. This will create an additional layer of security against cyber-attacks.