Social Engineering Risks: How to Patch the Humans in Your Organization
by Dominique René
Employees have long been presumed as the weakest link in the corporate cybersecurity chain. But new research from Proofpoint seems to confirm it. The vendor’s latest Human Factor report claims that over 99% of email-borne cyber-attacks require human intervention to work. That means hackers are targeting primarily people, rather than technology systems, to get what they want.
The problem is: how do you find an effective security patch to fix your employees?
Falling at the first hurdle
Analysis of Proofpoint’s global customer data over the past 18 months revealed virtually all attacks on organizations begin by tricking an employee into doing something they shouldn’t. It could be something as simple as enabling a macro, opening a malicious file or document, or following a dubious link.
Some would then go on to exploit technology systems — either by covertly downloading malware, or using user log-ins to open enterprise accounts — but the all-important first step is usually made by the employee.
Phishing is the number one way to do this. This age-old technique involves an email, text, social media message, or IM spoofed to appear as if sent by a trusted source. Nearly a quarter of phishing emails seen by Proofpoint in 2018 were linked to Microsoft products. Most aimed to steal log-ins to facilitate further, internal phishing attempts, lateral movement across IT systems and other tactics.
What happens next?
Hackers are using such tactics to commit a range of cybercrimes. Most malware observed by Proofpoint was used to steal banking and other information or belonged to the Remote Access Trojan (RAT) family of threats that stay hidden on machines, continuously stealing data. However, crypto-jacking, ransomware, and Business Email Compromise are also increasingly popular. According to this report, the latter two saw detections rise 77% and 52% from 2H 2018 to 1H 2019,
It goes without saying that the impact of such threats on any organization could be serious, resulting in:
- Major service outages
- Legal costs
- Clean-up, remediation and investigation costs
- Customer churn
Who is at risk?
Technically anyone in your organization could be on the receiving end of such an attack. In fact, Proofpoint warned that hackers are increasingly using multiple fictitious identities to target multiple individuals in victim organizations.
It claimed that these employees aren’t necessarily traditional VIPs. They may be selected because their emails are easily found via a remote search: 36% of such individuals could be found online via corporate websites, social media, and other means, the report claimed. Or they could be targeted because they have access to corporate funds and sensitive data.
Either way, organizations need to do better at protecting and educating these Very Attacked People (VAPs) in their midst.
Time to fight back
The question then becomes: “how do I protect my organization from my own employees?” As always, a defense-in-depth approach makes the best sense. This should start with user awareness training and education, but not rely 100% on it. By adding in other steps, you stand a better chance of knocking back the hackers in the event that they manage to trick an employee or bypass a security solution.
Staff training: real-life simulation courses should be run for all employees, everyone from your temps and contractors up to the C-level. Look for tools that allow you to tweak exercises to mimic the ever-evolving phishing techniques used by hackers. And be sure that they provide detailed feedback on each user so that you can appraise each employee and work towards genuine improvements in behavior.
Email security: next up, you need effective threat protection against any inbound attacks. These should ideally feature a range of capabilities, including URL filtering, content analysis, domain reputation, and sandboxing for advanced threats. AI tools may also help to analyze the content of emails to tell if they are malicious.
2FA: enabling two-factor authentication on enterprise accounts will provide protection against phishing and other attacks designed to steal passwords from employees.
DMARC: enabling DMARC can provide extra protection against phishing and spoofed emails.
Disable macros: given the increasing number of attacks that work by using macros for malicious ends, it may be a good idea to disable them altogether.
This is just a snapshot of possible tactics, but it’s an indication that there’s plenty you can do to reduce the risk of a serious email-borne attack. Given that over 90% of cyber threats now arrive via email, there’s no time like the present.
About the Author
Dominique René is a young content writer who is currently working for MacSecurity.net. She is inspired by the present-day groundbreaking technological progress. Dominique’s overwhelming enthusiasm for tech matters stems from her current research in college and innate aspiration to expand her academic outlook. She’s committed to staying on top of innovative trends in computer security, online privacy, threat intelligence, cryptocurrencies, and cloud solutions.