Stay safe against the threat of social engineering
2019 has been and gone, and as we launch into a new decade the digital scene will continue to change. Part of keeping your organisation cyber safe is learning and adapting to new threats, laws, and practices as they come up, and rolling with the punches of the always-fluctuating cybersecurity landscape.
To that end, we took a look back at 2019 and identified one of the major cyber threats that presented itself, broke it down and came up with some strategies that you and your organisation can use in 2020 to protect against it. Equip yourself with these tips and head into the new year better prepared!
Social engineering
This particular threat was prominent in 2019, and we have chosen it to focus on in an attempt to help you stay safe in 2020 and beyond—as it’s not going away anytime soon! Social engineering refers to malicious online activities that are based on human interactions and manipulation, used to gain credentials to confidential accounts. It is more about psychology than traditional “hacking” but takes place online and is a very real threat.
The initial contact between the cybercriminal and victim can come in many forms—it might be an email or message from a friend whose account has been hacked, an email that comes from what appears to be a trusted source, or even a physical USB drive left somewhere public to pique curiosity. Anything to encourage you to click on a link that will lead to the download of malware.
Some criminals will even entice victims to give up personal credentials directly, by pretending to be a co-worker or to be acting on behalf of a bank, the police, or another authoritative institution. This aligns closely with the traditional “phishing” emails, which encourages readers to enter their details under some pretext, casting the net wide and reeling in the few who fall into the trap.
For companies, having employees vulnerable to social engineering is a big concern. If their log in details to the company’s networks and systems are compromised, the amount of havoc that can be wreaked is immense.
Protect your organisation
Just clicking on a bad link can cause a lot of damage, but cybercriminals engaging in social engineering are very good at manipulating people into doing what they want them to do. This means that unfortunately, people are the weak link in a social engineering situation—and they can be a lot harder to “fix” than software and code!
Investing in training for your staff alongside improved general cyber security measures can reduce your risk of becoming victim to a social engineering attack. The following are a few measures we recommend:
- Security awareness training. As part of this, employees should be made aware of how to identify suspicious emails and trained to never click on a link unless they are very sure of where it is taking them.
- Restricted internet access. This may include whitelisting, which means that employees have access only to administrator-approved programs, IPs, and email addresses.
- Vulnerability management, which is the continuous process of assessing computing assets, identifying security risks and responding to them—essentially, constantly auditing your cybersecurity. There are many scanning tools available to help with this.
- Systems certification—ensuring that all systems comply with minimum standards agreed upon by the owners and guided by legal obligations such as those laid out in the NZISM.
- “Hardening” your systems and desktops. This involves reducing the attack surface area, which is larger when a system performs more functions; in principle a single-function system is more secure than a multipurpose one. The hardening process may include user configuration, network configuration, features and roles configuration to ensure only what is needed is there, updating installations to patch vulnerabilities, firewall configuration, remote access configuration, and service configuration.
Staying on top of these measures in 2020 and beyond will reduce your risk of falling victim not only to social engineering but many other kinds of cyber attack. As criminals get creative, there will be new threats to mitigate—a solid base and culture of security within your company or organisation will stand you in good stead.
CANDA are New Zealand’s ICT security certification specialists. We can help you conduct risk assessments, develop system security plans, pin down your cloud security and generally make sure that your organisation is as safe as possible from cyber threats. Contact us to find out how we can help you enter a new decade with minimal risk.
