Even the least tech-savvy consumers are quickly becoming aware of important steps they can take toward greater cybersecurity. In this third decade of the 21st century, fewer and fewer people will fall into clumsy traps in which they are invited to — for instance — “click this link to collect your lottery winnings of $5 million”.
As both IT pros and consumers are becoming harder to trick, however, cyber criminals are also growing smarter. Today, 98 percent of cyber attacks incorporate elements of social engineering. Also called “human hacking”, social engineering uses psychology to prey on our fears or exploit our vulnerabilities. Used in the context of cyber attacks, victims can be persuaded to download malware or click questionable links that ultimately lead to the breach of sensitive data.
Those who thought IT professionals are immune to these forms of attack would be wrong — 47 percent of IT professionals reported that they had, themselves, been the target of attempted social engineering in the last year alone. Although many of these incidents are ultimately unsuccessful, cyber criminals use this form of attack for the simple reason that it often pays off.
People who are unfamiliar with the intricacies of social engineering are, unsurprisingly, most likely to become victims. That’s why 60 percent of IT pros warn that new hires are at high risk of social engineering. When a new employee finds themselves tricked by social engineering, the entire company can suffer devastating consequences that may range from financial loss and identity theft to extremely sensitive data breaches.
The fact that social engineering attacks are increasingly targeted is especially concerning. In recent times, 60 percent of companies had to deal with social engineering attempts that sought to exploit fears related to COVID-19 by sending emails that appear to come from the CDC and related organizations. Social engineering attacks may also combine hacking or OSINT techniques to craft such a personalized message that it’s hard to believe it could be malicious. One example of this would be the exploitation of rebate tracking websites — the victim would receive a message with information about an item they have recently purchased, and easily click on supposed rebate links.
To combat social engineering attacks and protect the entire organization, employee training is absolutely essential. An organization is, after all, only as strong as its weakest link, and one new hire can unwittingly make a disastrous cyber attack possible.
Because the vast majority of cyber criminals rely on social engineering, and employee training is the best line of defense, every business should take this training as seriously as it would their firewall or penetration testing. New employees may be especially vulnerable, but it would also be prudent to remember that trends in cyber crime evolve constantly. Making employee training against social engineering a core part of company culture, and running training sessions at least quarterly, goes a very long way toward shielding a business from these psychological attacks.
If you want to find out more about how you can train your employees against cyber attacks speak to us today.