Small businesses are more vulnerable than ever before to hacks and security risks. One of the biggest vulnerabilities comes from social engineering – when hackers put together information from company websites, social profiles and even phishing emails to con an employee into taking an inappropriate action such as wiring information to a fraudulent account or sharing credentials to sensitive company accounts. Forbes reports that as many as two thirds of all attacks now involve social engineering.
What steps can you take to help protect yourself against today’s biggest hacking threats?
Understanding Social Engineering
Leading up to a social engineering attack, a hacker gathers information on recent events, people and communication styles from available company information. They might access websites, social media accounts, press releases, media coverage and personal content of specific executives. From this information, the hacker can understand the proper context, voice and style needed to craft an email or request to send to an employee. Then the hacker will spoof your email account and try to impersonate an executive. For example, the hacker might ask the targeted employee to make a financial transfer or send private data.
Some of the more common social engineering methods to look out for include:
- Basic social engineering or whaling attacks: impersonating an employee and requesting a financial transaction, access to data or secure information.
- Watering holes: during this type of attack, malicious code is injected into public websites that certain types of people visit. Often, websites in a certain industry or sector are targeted to impact selected victims, whether it’s people who work in a field such as finance or are part of a specific political party.
- Phishing: this occurs when a malicious party sends a fraudulent email disguised as a legitimate email, often purporting to be from a trusted source. The message is meant to trick the recipient into sharing personal or financial information or clicking on a link that installs malware.
- Quid Pro Quo: these issues occur when attackers place phone calls to employees’ direct lines and offer something in exchange for information or access to key systems. A common approach is impersonating IT support and asking employees to temporarily disable their virus protection so they can install software updates. From there, data is hacked or malware loaded on the system.
- Vishing: using phone calls to gather personal information. For example, a cybercriminal may impersonate a customer and make up an emergency situation to get a flustered customer service rep to speed through an otherwise secure procedure. This scam is specifically successful when criminals use a pre-recorded message that asks, “Can you hear me?” and the person answers, “Yes.” That recorded “yes” is then used to access other systems.
- Physical: criminals may, upon occasion, gain physical access to a building using false credentials.
As social engineering becomes prevalent, small businesses need to consider a variety of strategies to support their privacy. Training employees, establishing clear social media policies and investing in private collaboration tools are all critical steps small businesses can take to help protect themselves against these targeted attacks.
Protecting Your Business Against Social Engineering
1. Have an Open Source Intelligence Report Developed
Like any discipline, social engineering is constantly evolving. The tools and schemes are continuously becoming more sophisticated and more devious. However, social engineering can only be effective when there’s enough information available online about your business to impersonate your company. As a business owner, it can be difficult to understand where you might inadvertently be publishing information that hackers could use.Small businesses are increasingly hiring firms to conduct research and develop an open source intelligence report. This term was borrowed from the intelligence community, but it can help you quickly establish what’s online about your business and whether you need to remove any specific data. The researcher will evaluate your social media presence, media reports, websites, publically available research and any other information that’s available. From there, they’ll be able to identify information that could potentially be a threat and make strategic recommendations about information to take offline or ways to update your public communications moving forward. For example, one such report found that employees were using social media channels to discuss travel plans, client works and other information the company didn’t want public. The company invested in affordable secure messaging tools and an internal social network to keep discussions protected.
2. Train Your Employees
Training your employees may be one of your best lines of defense against cybersecurity risks. Most employees understand the importance of using a virus prevention program, but they may not be prepared for more sophisticated threats. Educating your employees on the specific security threats that are becoming prevalent today is key. Don’t just discuss them at a high level. Provide examples and warning signs of what to look for such as:
- Situations manufactured to create false urgency. “Send now or else”
- Poorly written or crafted emails with misspellings and other red flags.
- Requests that are out of the ordinary or violate a specific procedure.
- Requests from a person that “sounds wrong” or seems out of character. One common example is a request from someone in the accounting department to make a previously unknown wire transfer for a large sum of money, with tight timeframes that make it more difficult to verify.
- Questionable links or attachments in emails. Many companies create policies such as not opening attachments or clicking links from unknown senders and using email scanning tools to identify potential issues in emails.
Encourage employees to reach out to a supervisor or the person making a request for verification before sharing any information.
3. Invest in Secure Collaboration Tools
To protect against social engineering, ensure that your information is securely shared. Social engineering occurs when hackers gain access to information that’s shared publicly. Collaboration tools make it easier for your teams – both internal and conversations with third parties – to keep data, discussions and company information secure. Investing in secure collaboration tools makes it easy to share files, edit documents, provide status updates and have conversations without making any of that information publicly available. When you choose the right platform with aggressive security features, it’s difficult for that system to be hacked as well.
4. Invest in Anti-Phishing Tools
It’s also important that your company leverages the full suite of anti-phishing tools that are available on the market. These tools often have features that identify spoofed emails and some even have a custom server-based “stationery” that includes a watermark with emails sent through the company’s system. Strong malware, virus protection, firewalls, email filters and network security also help to ensure that social engineering efforts fall flat.
Today’s biggest criminals and hacking threats are becoming more sophisticated. Using information, they collect through social engineering is making these attacks even more effective. In order to combat this behavior, you need to start investing in efficient employee training, technology tools and ongoing security audits to ensure you’re taking every step needed to protect confidential information, intellectual property and client data.