There is a human element to cybersecurity vulnerability in business. These cyberrisks may not come from sophisticated malware or technical vulnerabilities, but from exploiting the psychology and behavior of employees while on their devices or in person by using clever social engineering tactics.
- Vishing is a social engineering technique done over the phone or impersonation on site that could trick targets into revealing information to penetrate a network.
- It is similar to phishing email-based attacks and smishing text-based attacks.
“Malicious social engineers aren’t necessarily very technical people but they’re crafty and clever in the way they think,” said Michele Fincher, COO of Social Engineer, a consulting firm that offers and training in social engineering.
Social engineering generally isn’t about technical-know how. “It’s about what connects you to others, what makes you curious and angry and what might make you act without thinking,” she explained.
Phishing accounts for 77% of all socially based attacks; targeted businesses lost $43,000 per account, according to Social Engineer.
Impersonation-based attacks resulted in individuals losing $4,200 on average, highlighting that physical security remains an important part of a business cyber strategy.
Businesses should provide employees training and education to counter these attacks, said Rachel Tobac, creative director at the nonprofit Women in Security and Privacy, a group that works to advance women in privacy and security careers.
While human error cannot be eliminated in its entirety, she advised businesses to:
- Train all employees, but especially those most isolated within the company, like interns or those not in direct contact with clients over the phone, as these targets can potentially be the entry point.
- Develop a solid social media strategy to reduce the risks of open source intelligence revealing information that can be used to authenticate or implement a malicious attack.
- Train employees on social engineering attacks weekly and if not monthly on what not to answer over to phone through vishing exercises.
“If you can get information from one individual — just one compromised individual — you can figure out how to get onto the network easily, you can figure out what type of badge you would make to recreate to do an onsite pretext, you can figure out how to penetrate their network through their operating system and the machines and workstations that they use. The most malicious thing that you could do is to get that individual to go to a malicious link over the phone,” Tobac continued
Taking these above steps can “change the game” for businesses to stay more secure, Tobac concludes.