Start a new job within a large enterprise and some form of cybersecurity training will be included in initial onboarding. This is being driven by the carousel of headlines relating to hacks and data breaches, and the subsequent stories of large regulatory fines, huge damages to reputation and drastic drops in sales and profitability. It’s becoming clear that the cost of delivering training is a worthwhile expense to minimise the opportunities of a harmful breach occurring.
It’s a different story within many small and medium-sized enterprises (SMEs). When budgets are tighter, cybersecurity is often deprioritised with firms forced to invest resources on activities that have a more obvious impact on growth. While understandable, many are taking too much of a gamble by not even providing basic cybersecurity training. Not investing in the most advanced cybersecurity tools is one thing, but employees without a basic understanding of how to keep data secure can unintentionally place information at risk and significantly increase the likelihood of it being compromised.
One example of how a lack of understanding can cause an issue is exposure to social engineering attacks. They are scam attempts that are intended to dupe employees into giving hackers access to business information and can come in the form of emails, letters, phone calls or in person. When employees are deceived even the most stringent cybersecurity solutions are rendered useless. As such, it’s vital for small businesses to provide basic training so that everyone knows the most common types of social engineering attacks.
Phishing
The most frequently used attack. Perpetrators create emails, live chats and even full websites that are intended to impersonate a real system or business. Accompanying messages are written in a way that suggests something requires the recipient’s urgent attention.
For instance, an employee could receive an email from the ‘bank’ informing them that the corporate account has been compromised and that details must be updated immediately. An included link leads to a mocked-up login page complete with logos and branding. Thinking they need to act now, employees enter full passwords or PIN numbers.
Baiting
Very similar to phishing, baiting involves offering something to lure in an employee and results in the downloading of malware. The success of attacks relies on an employee’s curiosity or even greed, and can take place digitally or physically.
The ‘bait’ could be a new movie or video game being made available to download on a peer-to-peer site, or it could be a company-branded USB flash drive (which is infected with malware) with a label such as ‘employee evaluations and salaries’ which is left out for someone to find. Once the bait is downloaded or plugged in, malware will automatically infect the network and the hackers are in.
Quid pro quo
Again along the same lines as phishing and baiting, but this time the hacker offers a service in exchange for login information. For example, an employee could receive a call from an ‘IT technician’ who offers a free technology audit in return for access credentials; or a ‘researcher’ calls offering cash in exchange for network access.
Pretexting
Pretexting is the human equivalent of phishing. Instead of creating a landing page or email that impersonates a legitimate firm, hackers build trust with potential victims by pretending to be a co-worker or someone in authority. Perhaps someone is emailed by the new ‘freelancer’ who is working remotely asking for access to the corporate files – it’s easy to see how someone, particularly if they are busy and not fully focused, can be deceived.
Piggybacking
Also known as tailgating, piggybacking is when an unauthorised person physically follows an authorised person into a restricted corporate area or system. One common method is when a ‘worker’ asks an employee to hold a door open because they’ve forgotten their keycard – the likelihood of this happening is greater when small businesses use shared workspaces with other companies they don’t know. Another example is when employees allow others to borrow laptops and other devices for a few moments, a hacker can install malicious software in that short time.
Many small businesses take their chances with cybersecurity because they don’t think they’ll be targeted over larger firms which typically have more to lose. However, criminals don’t discriminate. Instead of simply going after the big fish, they target everyone with social engineering attacks and it’s the employees that aren’t aware of the basics that readily hand over the keys to the kingdom. Even basic cybersecurity training helps mitigate the risk that social engineering attacks pose, with employees having a better understanding of which requests are genuine or a likely scam attempt.
Basic cybersecurity training must form part of a multi-layered strategy that includes preventative tools – such as updated antivirus and firewalls – ongoing monitoring, to ensure any breaches are identified and resolved quickly, as well as backup.
When more aggressive malicious software takes hold, the most effective method for ridding it from the network is by reverting back to a healthy point before infection. When businesses take regular snapshot of their systems, they are easily able to spin up clean versions at the push of a button – ensuring continuity and no costly downtime.
Ryan Weeks is chief information security officer at Datto.
Further reading on social engineering
