Social Engineering is neglected in business security. Many are completely naive or have no idea what social engineering is. How is this possible when social engineering is such a paramount threat to businesses these days?
What is Social Engineering?
Social engineering can be defined as “the application of psychological and sociological principles to specific problems”. However, I’m sure what comes to mind for those of you who are familiar social engineering is something along the lines of “malicious action that influences people to take action not in their best interest”. Either way, it is important to understand that social engineering itself isn’t malicious. When social engineering is used by an attacker to gain illegal information or access, then it’s malicious.
Now, why are so many people unaware of the dangers of social engineering, and why is it still so neglected in business security? Most of this can be contributed to a lack of understanding and awareness. These ten reasons will hopefully bring to light the dangers of Social Engineering.
Though not commonly reported in the media, Social Engineering has caused of some of the most devastating damage to people, property, and businesses. One of these attacks cost a company 39.1 million dollars. San Jose based Ubiquiti Networks INC. fell prey to a social engineer. The attack carried out is called a “CEO Scam” in which the attacker pretends to be the CEO or another person in a position of power. In this case the social engineer sent an email to someone in the financial department, requesting a transfer of money or assets. Since the attacker impersonated someone of higher power, his attack was successful. Meanwhile the employee thought they were just following orders.
Poor Security Policy
Many companies believe they have an adequate security policy. They would be wrong. Not only does the security policy have to cover procedures, rules, and actions, but it also must be understood and enacted by employees. Many policies are written with minutia and long unbearable text. Furthermore, employees are not likely to make themselves familiar with the policy or keep on top of updates, which leads us to the third reason.
Humans are the weakest link
Most people would believe that physical access and network security are the most important parts of protecting your business. Sadly, neither of those is at the greatest risk of being attacked. This is because humans are the weakest link in any security system. Due to merely human nature, those who know what to do can gain access to the most secure locations and networks.
Humans are Ignorant
One of the biggest reasons many security systems fail is the ignorance of humans. When a social engineer prepares for an attack they must gather large amounts of information in order to improve their chances. This often leads to the social engineer knowing more about the employee’s job, rules, and procedures than the employee themselves. This almost guarantees success on the social engineer’s part.
Poor Identity Management Systems
Businesses often have poor identity management. Whether they use one simple pin across all areas of access or require no ID at all. Having multiple complex passwords and codes for identification might be very annoying, but would also decrease the chances that one person could compromise the whole network or location access. Sadly, no one wants to take those steps, let alone ensure their employees enact them.
The Illusion of Security
Perhaps one of the scariest reasons social engineering is a threat is the illusion of security. It would be better to know you are in the cross hairs of a social engineer than to think you are immune to any attack. No system is ever completely secure, and at least knowing that will help you. Doing something about it or just realizing you aren’t secure are both better than hiding behind an illusion that you are secure.
Social engineers love human tendencies. These are what allows them to carry out foolproof attacks. For example, humans will help people, and will especially help those, who help them. Knowing this allows the social engineer to tailor their attack to guarantee success. Some other tendencies include obedience to authority, action to avoid a loss/action to win, and laziness.
Lack of Awareness
Previously mentioned is that fact that there is little awareness for social engineering in the workplace. This is certainly not because of a lack of danger too. A simple web search can reveal millions in damage, stolen dollars, and taken identities. You will rarely find a business that educates its employees about the dangers of social engineering and shows them how to handle the threat; but how can you do that if you are not aware in the first place.
Security Takes a Back Seat in Many Businesses
A CEO can put security on hold and then furiously demand to know why there is an intruder in their network. This is a result of the fact that many businesses put security far down on the “important list”. Which is funny considering millions are spent every year on fancy locks and the latest firewall upgrades. Likewise, how can you except to mitigate social engineer threats when the business is unaware. Even worse, any potential action would have to take a back seat to business systems even if a threat were imminent.
Social Engineering is on the Rise
Finally, the last reason…that I will share. Definitely not the last reason as to why social engineering is a greater threat than many make it out to be. Over the course of the coming years, spending on cyber and physical security by businesses is expected to grow exponentially, but that doesn’t combat the growing social engineer threat. As technology continues to become more secure, people are just sitting there. Social Engineers recognize this.
These ten examples hopefully brought to light a danger in the dark. Too many businesses are unaware and unprepared to handle these threats.