Social Engineering: The Epidemic No One Is Talking About.

Another Ransomware or Data Breach makes headlines as you scroll through your news feed, “Hospital shut down due to Ransomware” or “Data breach affects 3 million users.” It’s become commonplace now for Hackers to steal PII (Personally Identifiable Information) from companies or third parties. According to a somewhat recent Accenture report in 2018 there were approximately 2.3 billion data breaches as compared to 826 million in 2017. The fact that there were 2.3 billion data breaches is shocking on it’s own but HOW that happened is the real concern. A whopping 85% of organizations experienced a social engineering or phishing attack. If those stats don’t alarm you then also know that 95% of cybersecurity breaches are due to human error, in 2018 hackers stole half a billion personal records, there is a hacker attack every 39 seconds, over 75% of healthcare industry has been infected with malware over last year, and the most alarming statistic of all is that after all this, approximately $6 trillion is expected to be spent globally on cybersecurity by 2021 with no real solution in sight with attacks increasing at an alarming rate.

You, like many others may be scratching your head asking yourself, “With all this money we are throwing at Cyber Security why haven’t we fixed this problem yet?” The answer is surprisingly simple but no one is taking it seriously. Any CEO will tell you, your business thrives or dies with your employees. With Cyber Security this does not change. Vulnerability and Penetration Assessments along with virus scanning software will only protect against known vulnerabilities. Intrusion Detection/Prevention Systems will alert you of unusual behaviors but many malicious Hackers know how to bypass these triggers.

If you haven’t figured it out by now, the answer lies in spending more resources in training employees against the threats of Social Engineering. Many of these malicious Hackers aren’t magicians, they prey upon the same human emotions that con artists use to deceive their victims. These criminals do their reconnaissance, and their damn good at it too. A well structured “Quid Pro Quo” attack will work the majority of the time, a numbers game that rewards the victim with a service or information in return for valuable data that’s used in the data breach. An example of a QpQ attack would be an attacker that calls random numbers at a company, claiming to be calling back from technical support. Eventually this person will hit someone with a legitimate problem and, in the process, have the user type commands that give the attacker access, launch malware, or have them access a login portal with a well crafted website that captures information.

In fact-o many malicious attackers have fine tuned their game and crafted remarkable strategies that rival US War and Economic Strategists. Attackers may not use just one form of Social Engineering attack, but may use a combination of Phishing, Spear Phishing, Quid Pro Quo, Pretexting, Scareware, Baiting, Physical Data Mining, Social Media Engineering and Tail Gating. Criminal Hackers sometimes even use a combination of social engineering and zero day exploits to compromise systems. Not only is the human element being exploited but the zero day also goes undetected as there is no known patch available yet. While these Companies pay ransoms in cryptocurrencies the more eager these attackers are to earn a paycheck. We have to understand that to some, it is a game of wits, a game in which they thoroughly enjoy outsmarting their opponents, and to others, it is purely a business model they see as an untapped market waiting for exploitation.

My advice to any business, small or large: invest in your policies and procedures while continuing to analyze your risk management model. I believe the most effective way to combat this epidemic is a cocktail of Multi Factor Authentication and intense Cyber Security Training or “Bootcamp” with a HARD emphasis on Social Engineering for every single one of your employees.