Pick any recent data breach. It could be a high-profile one or one of the many that never make national headlines. If we were to follow the string of events back to the beginning of that compromise, what would we find?
Chances are, it’s an employee getting duped by a cybercriminal.
In fact, one could make the case that social engineering is the single biggest issue facing organizations when it comes to cybersecurity. No matter how big of a fortress you build, all it takes is one employee to open the gate and let the bad guys walk into the heart of a business.
One of my favorite cartoons sums up the issue facing businesses:
With all of the recent W-2 breaches in the news this year, I’ve been thinking once again about the issue of social engineering. What can businesses do? It seems every article I read only points out the problem and then makes vague references to “awareness.”
In 2015 SurfWatch Labs interviewed a variety of people to try to get to the heart of that question, and I think it’s a good idea to revisit that conversation eight months later. After all, it is a problem that will never go away.
Essentially, everyone agrees that a three-pronged approach is the key to limiting the success of cybercriminals using social engineering tactics:
- Use technology and tools to limit the exposure to social engineering
- Train employees so those social engineering attempts that do get through are less successful
- Realize that even the best trained organizations aren’t perfect, so have tools and a response plan in place to limit the potential damage
Let’s briefly expand on the first two points about prevention.
Limiting Exposure to Social Engineering
Technology is getting better at limiting users’ exposure. Take email as an example. In 2006 about 30 percent of an average Hotmail user’s inbox was spam — a huge problem. By 2012 that number was down to 3 percent. In July 2015, Google released its latest numbers, and less than 0.1 percent of the average Gmail inbox was spam.
The less malicious activity that gets through an organization, the less potential there is for an employee to make a mistake. There are several ways an organization can go about this goal, as have been outlined by many groups and organizations dedicated to fighting social engineering such as the Anti-Phishing Working Group.
Some best practices specific to phishing include:
- Filtering and endpoint technologies – Filtering technologies are great at catching high-volume, low customization spam. Endpoint solutions can also combat things like malicious attachments.
- Blocking images, links, and attachments – Disabling images and links in emails from untrusted senders can help users identify legitimate emails and prevent employees from clicking malicious links. Disabling Microsoft Office macros from Internet-obtained documents can help block a common attack vector that has led to many recent data breaches.
- Email authentication – Phishers often forge information to make it appear as if the message originated from a legitimate institution. Email services like Gmail as well as corporate email servers use authentication methods to combat this including Sender Policy Framework, Domain Keys Identified Mail, and Domain-based Message Authentication, Reporting and Conformance.
- Web traffic filtering – There are many websites that are known to steal user credentials. These phishing websites are often collected into lists by both commercial vendors and free services like PhishTank. Blocking access to these sites can limit the opportunity for users to fall victim to social engineering.
Some other areas that can be useful in preventing social engineering include:
- Authentication – Malicious actors will often impersonate others outside of email, so it is important to have strong ways to authenticate users.
- Physical security – Physical security limits the ability for unauthorized individuals to access areas, eavesdrop on conversations, and use baiting (like dropping a malware-loaded USB stick). The organization should have effective physical security controls such as visitor logs, escort requirements, and background checks.
Training Employees and Raising Awareness
Even with security technology in place, employees will still make mistakes. Security company RSA learned this in 2011 when a phishing email targeting four low-level employees was caught by a filter and placed in their junk folders; however, one of the employees enticed by headline — “2011 Recruitment plan.xls” — retrieved it from the folder and opened the attachment, leading to a compromise that cost the company $66.3 million.
That is why training and awareness is often touted as the most important and cost effective step in combating social engineering. According to the 2016 Verizon Data Breach Investigations Report, 30% of phishing messages were opened and 12% went on to click the malicious attachment. And in 2016 phishing is on the rise, according to SurfWatch Labs data. Additionally, a recent Ponemon Institute study examining six proof of concept studies found that phishing training led to employee click rates being reduced between 26-99%.
This lead Ponemon to conclude, “Assuming a net improvement of 47.75%, we estimate a cost savings of $1.80 million or $188.40 per employee [for the average organization].”
Some of the do’s and don’ts of a good security training program include:
Social engineering is one of the biggest cyber threats facing organizations; however, many businesses devote relatively few resources to addressing this problem. Implementing technology and tools to limit the exposure to social engineering and training employees may be the most cost effective way for many organizations to significantly improve their cyber risk.