Discussions about security and compliance disproportionately focus on businesses and enterprises, precisely because these organizations serve as central repositories for critical industrial or consumer information. Accordingly, regulations and best practices are often tied to securing this infrastructure, with consumers getting little to no attention.
However, the reality of modern cybersecurity threats is that almost all major security breaches are related in one way or another to social engineering–that is, the manipulation of people to breach data systems. Unfortunately, that doesn’t seem like it is changing any time soon.
How Is Social Engineering Impacting U.S. Businesses?
Compliance and security regulations typically emphasize system hardening, robust authentication, access controls, and data obfuscation through encryption. But, as the Verizon Data Breach Investigations Report notes, 85% of all breaches “involved the human element.”
What is the human element? Simply put, people are typically the weakest link in the security tool chain. Consider the following examples:
- The U.S. Energy Grid: In 2018, Russian hackers used attacks on small contractors and construction firms to launch phishing attacks against major providers of nuclear power, water treatment, manufacturing and energy management throughout the country.
- The California State Controller’s Office: A phishing attack targeting the SCO fooled an employee into giving up email credentials, which in turn allowed the hacker up to 24 hours of unlimited access to PII. The attacker then used that information to launch more phishing attacks.
- JBS: The world’s third-largest meat processor found itself the victim of ransomware after an employee clicked on a malicious attachment from a phishing message.
Many phishing attacks target regular employees without specific security knowledge. That would lead one to think that higher-ranked executives would not fall for such tricks. That would be incorrect, as modern spear and whale phishing attacks have tricked executives from some of the largest companies in the world.
Some examples include:
- Mattel, Inc. nearly lost $3 million when a finance executive was tricked into transferring the funds into a fake offshore account due to a phishing attack.
- Ubiquiti Networks nearly lost $50 million when someone in finance transferred the money to fake vendors. The company was able to recover $8 million.
- Australian aerospace company FACC suffered $55.8 million in losses when their chief executive officer fell for an unspecified phishing attack. He was later fired due to the loss.
- Hedge fund Levitas suffered $800,000 in losses from an attempted $8.7 million theft when a co-founder followed a fraudulent Zoom link
How Does Phishing Impact Enterprise Security
Encryption, firewalls, multifactor authentication… These technical security measures are necessary in modern IT systems. Problematically, however, these solutions cannot always react to phishing attacks.
Simply put, phishing attacks allow hackers a way to bypass all of these particular defenses. A phishing attack can gain credentials to a system and, without proper identity verification, give the attacker complete access to private information.
The main problem is that people are poorly trained to handle sophisticated phishing attacks. Furthermore, the relative ease with which hackers can launch such attacks against huge swaths of people means they need only a tiny success rate from a large pool of victims.
Phishing can affect enterprise organizations in several major ways:
- Foregrounding Training: It only takes one person falling for a phishing attack to compromise an entire system. To address this vulnerability, enterprise organizations must create a culture of awareness and training around social engineering attacks.
- Rethinking Data Backups: Phishing attacks can lead to data corruption or, worse, ransomware locks that can cost your years’ worth of information in one fell swoop. However, with regular data backups, ransomware becomes less of an issue, which means that you have more leverage against such attacks.
- Evaluating Third-Party Relationships: Several high-profile attacks, such as those against SolarWinds and its clients, make their way through an ecosystem by infecting the infrastructure of managed service providers (MSPs). Therefore, it is critical for MSPs to audit their systems and products regularly and for organizations working with MSPs to regularly audit that technology to ensure that they won’t be surprised by an unexpected attack.
- Dedicating Resources to Constant Security: Enterprise organizations with extensive infrastructure are more and more often hiring Chief Information Security Officers (CISOs) responsible for system security and compliance. By having a centralized point of control over security, your organization can more effectively manage IT compliance and cybersecurity to minimize social engineering attacks.
Can Security Audits Help with Social Engineering Attacks?
Regular security audits can, in some cases, become checklists… what controls have you implemented, what security risks are acceptable for business, what security gaps exist and need rectification, and so on.
But modern, professional security audits can also provide insight into the less prescriptive protection areas. Training, continuing education, and email controls like alerts for emails originating outside an organization are all approaches that an expert security firm can help you coordinate.
Fortunately, many compliance frameworks and regulations include some requirements that address social engineering. But it is up to you to create a culture of awareness to stop these attacks.
Are You Looking for Ways to Curb Social Engineering?
Call Continuum GRC at 1-888-896-6207 or complete the form below.