There exists a common misconception about how hackers gain access to their victim’s network. Maybe this is due to Hollywood’s portrayal of men in hoodies pounding away at keyboards to penetrate the target’s network defenses. I’m not suggesting that this does not occur. But this approach is outdated and very difficult against today’s advanced firewalls. Modern hacker groups know that there is a weak link within every office/plant/clinical environment. The vast majority of cyberattacks target employees!
First, some definitions…
Social engineering – “Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables.” (1)
Phishing -“The practice of tricking Internet users (often through the use of deceptive email messages or websites) into revealing personal or confidential information which can then be used illicitly.” (2)
Spear phishing – “A phishing method that targets specific individuals or groups within an organization.” (3)
Certainly, there are variations that include phone calls and text messages. But all techniques are designed to get someone to click a link/attachment or simply provide personal information.
Now, let’s consider a simple attack. The hacker identifies a target company. He/she determines the employees of this organization (Linked-In is very helpful), and the format of the email address. A well-crafted message is then sent to the employee. If the employee clicks on the attached image or PDF…guess what? Software (malware) may have just been installed on the PC which gives the hacker access to the PC. The attacker will then use the PC as a pivot point to access the network and business data (even in the cloud). The hacker spent minimal time researching the company, crafted an email, and hit the send button. It’s a numbers game and they simply wait until someone clicks. Pretty good ROI on time spent.
What is the moral of this story? Even the best technological defenses can be circumvented by employees clicking without thought. Companies that are serious about cybersecurity understand that employees need to be transformed from “weak links” into “security allies”. By teaching them about cyberattacks and what to look for, you empower employees to help protect the business by building a security-conscious culture. Regular cybersecurity training also provides the following business benefits (4):
- Minimize the risk of data breaches and downtime (loss of productivity)
- More robust defenses when you amalgamate technology with brain power
- Satisfy compliance requirements
- Be socially responsible as a business
- Improve customer and vendor confidence
The secret to developing a security-conscious culture is to provide engaging and informative content on a regular basis. This is not a “one and done” situation. Ongoing training brings cybersecurity to the forefront, and it becomes top-of-mind every time a suspicious message is received.
If you have any questions or need some help improving your cybersecurity, please contact me at firstname.lastname@example.org
(1) https://www.kaspersky.com/resource-center/definitions/what-is-social-engineering (2) https://www.merriam-webster.com/dictionary/phishing (3) https://www.trendmicro.com/vinfo/us/security/definition/spear-phishing (4) https://www.cybsafe.com/community/blog/7-reasons-why-security-awareness-training-is-important/