Social engineering When attackers hack people instead of systems
There are two types of companies: those that know they have been hacked, and those that are yet to experience it. Over 90 % of all successful attacks succeed due to human weaknesses.
Due to their strategic, unique and innovative character, companies, especially small and medium-sized enterprises, repeatedly offer valuable attack potential for third parties, for example intelligence services in other countries or cyber criminals. Damage to reputation, production stoppages, insolvency, loss of trust and financial damage can be consequences if the issue of data security in the company is not considered with the necessary care.
Many business leaders believe that data security is an IT issue and rely on technical measures to protect their businesses from cyber attacks. It is often said: “We have a firewall and a good administrator, nothing can happen to us”. Or: “This only happens to the others.” However, the human factor is not taken into account and is underestimated when it comes to data security.
Internal or external employees are often — intentionally or unintentionally — the target of attacks on valuable and confidential company assets. In order to find a way past the IT security measures, attackers are increasingly using the promising means of so-called ‘social engineering’. Social engineering is a method of gaining access to information through interpersonal influence. Social engineering exploits human qualities such as helpfulness, trust, fear or respect for authority. These characteristics often serve as a distraction strategy for an attacker to mislead employees into careless or negligent actions.
In targeted vulnerability assessment, experts find ways in almost every organisation to obtain information that helps plan and execute an attack. A proven countermeasure is to sensitise the organisation to possible social engineering attacks and to create security awareness. Companies should consider the following aspects:
An attacker can gain confidence and overcome entry controls by appearing confidently and brashly or pretending to be someone else, for example by impersonating a technician or parcel carrier.
Measures: Regularly sensitise employees and create clear rules for access and access!
A popular source of information is the smoking area. Usually outside of a company's buildings, problems and news are discussed openly. An unknown third party is usually not noticed.
Measures Sensitise employees regularly!
Central department printers
Often you will find very confidential printouts that were not picked up promptly. Particularly valuable is the storage compartment or the wastepaper basket next to the printers. If a printout cannot be found, it is printed again because employees think that the printing did not work.
Measures Protect the department printer with a PIN!
Paper baskets or paper containers
Confidential information is disposed of in the wastepaper basket and emptied by cleaning staff, for example, into paper bins or containers that are accessible to the public.
Measures Provide easily accessible shredders with the required security level and use special data security containers.
Employees publish information about the company‘s internal affairs in social media channels such as Facebook, Instagram or LinkedIn.
Measures Implement binding ‘social media hygiene regulation’! This specifies who is allowed to publish which information about the company via which channel and when.
Cleaning staff, who clean the offices after work when all employees have left work, have access to almost all areas of the company (sometimes with a master key).
Measures Carefully select service providers, give clear instructions as to who may enter the offices without authorisation after the end of the working day; and log accesses!
Often you will find valuable information, collections of ideas, strategy sketches and so on in meeting rooms on flip charts and whiteboards.
Measures binding rules on how to leave a meeting room after the meeting.
Employees leave confidential documents on their desks or do not lock their monitors when they leave the workplace for long periods of time.
Measures Establish a ‘clean desk policy’ and automatically lock the monitor after five minutes without activity at the PC workstation!
Access to stored data
Employees have access to more data than they need for their daily work. One speaks, for example, of the ‘trainee’ effect. Trainees who pass through many different departments during their training often have access to many systems and data at the end of their training because authorisations are not revoked.
Measures Restrictively assign authorisations and those responsible regularly check which access authorisations are necessary!