In 2015, the average cost of the most severe online security breaches for SMEs ranged from £75,000 – £311,000
The average cost for big businesses averaged from £1,500,000 – £3,100,000
It is hard to get away from the presence and scale of the cyber security threat. The mainstream and social media are full of stories of companies who have been hit by a data breach, but there are many more you will never hear about.
TalkTalk and Sony hit the headlines worldwide in 2015, but the US National Guard, Harvard University and Blue Cross Blue Shield also lost the personal data of millions of their employees and customers. Beyond this are literally thousands of smaller organisations who have suffered data breaches that they will never make public for fear of the impact on their reputation.
Here in the UK, government figures from the Information Security Breaches Survey 2015 indicate that the average cost of the most severe online security breaches for big business ranges from £1.5 to £3.1 million and for SMEs the cost averages from £75,000 to £311,000. The same survey also shows that 90% of large organisations and 74% of SMEs reported they had suffered an information security breach during the year.
The changing nature of the threat: social engineering
So the scale of the threat is vast and growing, but even more important for corporate security professionals to note is that the nature of the threat is also changing. Firstly, as the profits from cyber crime have grown, so it has attracted the attention of more organised groups with more human resources available to them, including governments, organised crime and even terrorist organisations. Secondly, as the technology response to the cyber threat has become more sophisticated, with robust firewalls and virus monitoring software now standard, cyber criminals have had to find new ways past corporate perimeter security.
The increased difficulty of breaching perimeter security and the increased human resources available to cyber criminals have combined to produce a new point of attack. This point of attack is focused on the weakest link in the corporate security chain, human beings rather than technology. The UK government data confirms this, pointing to 75% of large businesses and 30% of small business which have suffered staff-related data breaches in the last year.
This is what used to be known as the “insider threat”, but that inadequate terminology suggests complicity by employees in cyber crime, which is usually not the case. Instead, a more appropriate new term has been coined to describe the threat, which is “social engineering”. Social engineering has been described as an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. It is also defined as the art of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques.
Social engineering techniques
There are a number of common social engineering techniques employed by cyber criminals. These include:
Spear phishing
This is probably the most common social engineering technique and is a more sophisticated version of the well-known phishing scam, where speculative e-mails are sent to large numbers of people, pretending to be from legitimate organisations, in the hope of tricking them into parting with sensitive data. Spear phishing targets known companies and individuals and first builds up a picture of them from social media, or other open sources, before seeking to extract information about their passwords in order to access a corporate data network.
This can be in the form of an e-mail message or even a remote attempt to guess a password based upon researched personal information such as dates of birth and names of family members. The attack may begin by hacking into a less secure system such as private e-mail or Twitter, but the real target is the employee’s corporate network.
Pretexting
This is a variation on phishing in which a sophisticated scenario is invented to engage a targeted victim in order to trick them into disclosing confidential security data. This social engineering engagement can often take the form of a phone call that pretends to be from their bank or a law enforcement agency, or even from their company helpdesk. Like spear phishing, this attack will usually involve some legitimate personal data that has been obtained elsewhere, which helps to create confidence in the victim that the call is genuine.
Baiting
This is a less complicated social engineering trick that relies on physical media, such as a USB stick or floppy disk loaded with malware, which is left in a location that is likely to be found by employees of the target company. This could be a smoking area, elevator, bathroom or even parking lot. A corporate logo or interesting label, such as “2015 salary details”, will increase the apparent legitimacy of the disk and sooner or later someone will pick it up and insert it into their disk drive. Once this happens the malware will immediately be installed on the system and the job is done. Compromised media can also be sent through the post to an intended victim.
Tailgating
An even more primitive form of social engineering attack can be via the device of tailgating. This is where an attacker, seeking entry to a restricted area via say an unattended electronic gate, simply walks in behind a person with legitimate access credentials. This ruse can be supported by the attacker carrying papers or a coffee and wearing shirtsleeves and no jacket, as if they had just popped out. If challenged they may even present a fake access card, without actually using it.
Once inside the premises the attacker will seek out a vacant desk and insert a disk into it or look for evidence of passwords lying around. A more complex version of this full frontal attack is someone entering the premises acting as a courier or a cleaner, or even an actual temporary employee who has been recruited for just this purpose.
Mitigating actions
So, what can be done from a corporate security perspective to protect your company against the new social engineering threat? Here are six good practice security tips that can help to mitigate, if not eliminate, the threat:
- Train your employees and create awareness amongst them about the social engineering threat. Warn them about information they make public on social media and about the threat from e-mails, hyperlinks and phone calls. Forewarned is forearmed.
- Protect all of your devices against viruses and other malicious code through the use of up-to-date anti-virus software. Out-of-date versions are no use at all. Also ensure that you have a bring-your-own-device policy which guards against employees introducing viruses to your network through mobile devices that they bring to work.
- Secure your network from the internet by using a firewall. Avoid using Wi-Fi, if possible, and if you have to, then make sure it is securely configured. If employees work from home, make sure that they have security on their own systems, including a firewall. Only allow secure VPN connections with employees outside the office.
- Require employees to use unique, hard to guess, passwords and make sure that your security policy requires password changes at regular intervals. Ensure that you revoke all passwords and other forms of secure access as soon as an employee leaves the company.
- Ensure physical access to your business is restricted. Compromise of your physical security may allow hackers to access your critical system components such as servers, routers and desktops. It can also lead to the loss of confidential files and security information. Warn employees about baiting and tailgating, always enforce access policies and challenge strangers on your premises, politely of course.
- Finally, a tested and foolproof backup system is now a basic business requirement. Ensure that your backups are stored securely and test them on a regular basis. Malware can encrypt all of your sensitive data until you pay a ransom demand. A regular backup will allow you to wipe and restore rather than pay the ransom, as well as guarding against other data loss issues. Having at least one offsite or cloud backup is also essential.
System monitoring
Unfortunately, these simple steps, whilst important, are not enough on their own to guard completely against the social engineering threat. If rogue employees have been inserted inside your company, or existing employees have become disgruntled, then they will be on the inside of all of your security perimeters, no matter how robust they are.
That is when you need the additional assurance that one of the new cyber security system monitoring solutions can provide. There are now plugin devices available on the market that take only a couple of hours to configure, which can provide the normal anti-virus and malware scanning, but which also monitor your network for signs of suspicious insider activity and failed attempts to hack into the system, via multiple incorrect passwords and the like. These solutions can provide invaluable intelligence that can be acted upon proactively to nip a successful hack or insider threat in the bud.
The monitoring system will look out for failed password attempts, visits to dubious websites and other suspicious activity, such as the downloading of data unrelated to an individual’s role which is then not used for any obvious purpose. It can scan the network and identify which user login and which terminal the activity has originated from. If you have your own suspicions over an individual, you can even ask the system to retrospectively go back over data audit trails to find out if past behaviour by an individual can provide you with evidence.
The scale and nature of the cyber threat can now be overwhelming for many companies that cannot afford a full-time IT team of half-a-dozen people or more. But a few simple precautions and the use of a plugin system monitoring device can go a long way towards mitigating the social engineering threat. Don’t let yourselves be caught out, or held to ransom, by cyber criminals.
Sonny Sehgal
Head of Cyber Security, Transputec
