It's week 4 of the National Cyber Security Awareness Month (NCSAM) and the theme for this week is "cybersecurity for small and medium-sized businesses and entrepreneurs." Small to medium-sized businesses make up a large portion of the economy, so it shouldn't be a surprise that 70% of cybercrimes resulting in data breaches targeted small businesses. Cybersecurity education and policies are essential for the survival of these businesses.

There are many ways a business can improve their security measures, but technological safeguards will do nothing if a social engineer can get an employee to grant them access to the network. The human element is often the weak link; however, that doesn’t have to be the case. Educating and training employees on security policies and best practices can help them become another line of defense against inevitable social engineering attacks.

What Is Social Engineering?

Social engineering is a type of cyberattack exploiting the human element rather than directly attacking a network. Social engineering can involve targeted phishing emails (95% of all attacks on enterprise networks result from successful spear phishing), or vishing—a tactic that involves the social engineer actually speaking to the victim over the phone. In either attack the attacker will attempt to impersonate someone or an entity the victim trusts such as the company’s IT department, a supervisor, an admin, Facebook, LinkedIn, etc. In a recent study by McAfee, 30,000 participants around the world were given a 10-question quiz and were asked to identify which emails were phishing ones and which were not. 80% fell for one or more phishing emails.

Why Do People Fall Victim to Social Engineering?

Social engineering is successful because of a few reasons:

• Social engineers gather the right information to trick their victims. They can easily find information about a company or its employees on social media and a simple Internet search. Using the information they customize phishing emails (the most common social engineering tactic) into carefully crafted emails. They even employ spell checkers and professional proofreaders to make the email gain their victim’s trust.
• Employees are helpful. People, especially in the workplace, tend to be helpful. Most of us are happy to give someone directions or open the door for others. That helpful nature may lead employees to click on a link from the IT department especially after receiving a call supposedly from one of the IT technicians. No employee wants to be seen or written up as difficult to work with.
• Employees are uneducated. Employees have not been properly trained to look for and avoid social engineering tactics.

What Can Be Done to Prevent It?

Training, training, training. Cramming for an exam the night before, without having previously studied, is the worst way to go about preparing for an inevitable attack. The once-a-year training session is not enough. Employees may leave these rapid-fire trainings and forget everything they learned by the end of the day. Continuing education and awareness training seems to be the best solution to the human element in cyber security.

In a recent radio interview with Dark Reading, Chris Hadnagy, chief human hacker at Social-Engineer, related an experience his team had with a company that hired them:

“...80% of employees clicked on phishing emails, 90% fell victim to vishing and 90% were duped by one of his team members impersonating a person at the help desk. We went to town educating them, and then in a later test, which we made more difficult, they shut us down,” he said. “We got nowhere.”

Hadnagy’s experience demonstrates the importance of training and how it can help.

Tip of the Week

Keep the following things in mind when protecting your small or medium-sized business from social engineering:

1. Practice makes perfect. Like any other acquired skill, the more time is put into developing it the more you will get out of it. Do frequent, short trainings. Frequent trainings will help both old and new employees hone their security awareness.
2. Don’t use cyber security jargon. Not everyone is a cybersecurity expert, and not everyone will be able to understand the jargon an expert would use. Nothing will turn someone off more than listening to a 30-minute lecture filled with strings of unknown words. Make sure to use language everyone understands.
3. Perform a penetration test (pentest) focusing on social engineering. A pentest will help see where you are vulnerable to social engineering. It might also be useful to show employees how they had been tricked (keeping names of employees anonymous).
4. Social engineering tactics change. It is important to educate employees of the changes in tactics and how they can identify and avoid them.