The best cybercriminals tend to be innovative and intelligent. They constantly update their strategies and tactics to account for new developments in the cybersecurity landscape and always manage to find new vulnerabilities to exploit.
For small and mid-sized organizations, the cybercriminal threat will never go away completely.
As long as there is valuable data to be illicitly gained and used, enterprising criminals will try to get their hands on it.
Technology is constantly advancing, and with it, new cybersecurity paradigms come alongside new vulnerabilities. In 2018, 83% of security professionals reported experiencing phishing attacks, up 7% from the previous year. Reports of business email compromises have soared by a factor of 70% over the same time frame.
Phishing has long been the preferred attack vector for cybercriminals. However, many are now deploying phishing strategies that rely on far more effective tactics: social engineering.
What Is Social Engineering?
Social engineering refers to a variety of tactics that people (not just cybercriminals) use to influence behavior using psychological manipulation. It leverages biases and well-known deceptive fallacies to take advantage of people in order to achieve a goal.
Social engineering tends to carry a negative connotation due to its association with deception, hacking, and cybercrime. The academic flip-side to social engineering is behavioral economics, the study of decision-making by irrational actors in inconsistent systems.
Whenever cybercriminals exploit the human element as part of a cyberattack, they are engaging in social engineering. This can mean anything from impersonating an employee on the phone to posing as a delivery driver and tailgating an employee inside an access-controlled area.
Cybercriminals have realized that these old-school spy movie tricks actually work. They work on the phone, they work on email, and they work in person.
There are a few reasons why these tactics work and why they are becoming more prevalent throughout the cybersecurity world:
- Personal Data Is Easy to Find. Impersonating a close friend or relative is much easier now than it was 20 years ago. Most people prominently display their relationships on social media, along with a broad variety of other information about them.
- Data Is Machine-Readable. Web crawlers can interpret your social media data and extract useful information for cybercriminals in a fraction of a second. Social engineering is not nearly as time-consuming as it used to be.
- New Skills Are in Demand. In the past, cybercriminals were almost exclusively IT experts. Now, a new class of cybercriminal with competency in psychology and marketing is emerging, leading to new kinds of exploits that don’t focus exclusively on technology.
- Technology Can Now Be Outsourced. Ransomware-as-a-service and similar dark web solutions make it easy for non-technical cybercriminals to deliver innovative attacks. The traditional Hollywood depiction of a caffeine-fueled cyberpunk computer hacker is no longer applicable to most cybercriminals.
What Can Small and Mid-sized Organizations Do?
Protecting against social engineering is notably more complex than protecting against an IT-based hack.
Human behavior is not reducible to a logical sequence of 1s and 0s the way business applications are, which means there is always room for an unexpected, innovative attack.
Since organizations can’t reasonably enforce phishing prevention rules that rely on controlling employees’ personal lives, they can’t prevent their employees from posting personal information on social media. The best they can do is educate their workforce about the threat of social engineering and implement solutions designed to mitigate the most serious risks.
Large enterprises and governments typically implement multi-layered approaches. These are sophisticated security strategies that successfully quarantine compromised systems and limit the damage that cybercriminals can potentially incur.
Small and mid-sized businesses have long been priced out of these kinds of security approaches. But new services like DuoCircle’s real-time Phish Protection and Advanced Threat Defense level the playing field between the world’s largest, most powerful organizations and the small businesses that cybercriminals disproportionately target.
Small businesses simply cannot afford to implement their own custom-coded application suites, so they have to use hosted solutions like Office 365 and similar products. Securing this kind of business architecture requires an appropriately scaled multi-layered security system, which includes:
- Consistent Training. Training is a major part of any security strategy. However, it can’t do all the work for you. Employees need to understand the threat that social engineering poses and have access to tools and solutions for mitigating those threats.
- A Next-Generation Firewall. Next-generation firewall products are inexpensive, yet several orders of magnitude more effective than run-of-the-mill firewalls. They play a critical role in preventing malicious code from executing once inside your network.
- Virtual Private Networking. If your organization relies on remote or traveling employees, it must incorporate a system for extending security benefits to users outside the office using virtual private networking.
- Email Security. Email phishing remains the most common attack vector that cybercriminals use to gain illicit access to company systems. Implement real-time phishing protection to prevent employees from accidentally downloading malicious software.
- Domain Name Spoofing Protection. One popular social engineering tactic is impersonating trusted websites by spoofing their domain names. Even a cybersecurity expert could not tell the difference between an IDN homograph attack and the website it copies at first glance. Businesses need to deploy automated solutions for testing websites.
Phishing Prevention Best Practices: Choose Real-Time Solutions
Most phishing domains and spoof websites are only live and active for less than 36 hours. For cybercriminals, that is plenty of time to send out a highly automated, highly targeted attack and begin collecting victims’ user data. For cybersecurity professionals, it’s an extremely short window of time to catch them in the act.
In order for your organization’s multi-layered security framework to be effective against social engineering tactics, it has to offer real-time results. The clock is on from the second an employee clicks on a malicious link. If you can respond in time, you can quarantine the system and mitigate the risk effectively.
Any truly comprehensive multi-layered security system for use in today’s IT environment has to be a real-time system that protects users from innovative social engineering tactics. It must protect against email phishing and verify incoming downloads while being able to warn security professionals of suspicious events the moment it notices them.
Sources:
The Latest in Phishing: First of 2019
Nudges: Social Engineering or Sensible Policy?
How Multi-Layer Security and Defense in Depth Can Protect Your Business
Phishing Protection Service with Advanced Threat Defense – DuoCircle
Out of character: Homograph attacks explained