Cybersecurity
Human error is the greatest threat to cyber security
Social engineering scams are dependent on the vulnerability of human nature, writes DAN THORNTON, CEO of cybersecurity firm GoldPhish
Time and again, at the heart of every successful cyberattack is a human error. As social creatures, human behaviour is simply predictable – our vulnerabilities to being deceived and cheated are susceptibilities that we share with all other people, and are, therefore, well-known and easy to exploit. We tend to think of cybercrimes as being rooted in the bad guys using their tech skills to hack into computer systems, but the reality is that almost all cyberattacks include manipulating people.
The urge to please others and the tendency to be trusting are qualities nurtured by our socialisation. In the workplace, these predispositions are frequently acknowledged as valued interpersonal skills and hallmarks of an effective team player. Yet, they are the exact same drivers that can cause us to unthinkingly click on a phishing email, provide our login details and expose our company’s entire customer base or supply chain to a shadowy cybercriminal syndicate.
Social engineering attacks refer to cybercrimes that take advantage of and abuse typical human behaviour, and they contribute significantly to the trillions of dollars of lost revenue across the globe each year.
Social engineering is the art of manipulating people so they give up confidential information or carry out actions they shouldn’t. Criminals use social engineering tactics because it is a lot easier to exploit a person’s natural inclination to trust than it is to discover ways to hack a company’s software. People are bombarded with communications 24/7. As we strive for maximum efficiency, we don’t hesitate in replying to messages and taking action as soon as possible so we can move on to the next task.
Additionally, we are conditioned to be as helpful as possible, especially in the workplace, so when a colleague or manager is requesting something we jump at the opportunity to demonstrate this without hesitation. We don’t pause to think or to verify whether or not the email in our inbox requesting our login details is actually from our company’s IT department or a scam using their identity.
In our cybersecurity awareness training aimed at SMEs, GoldPhish helps companies and their employees gain awareness of social engineering tactics so that they can defend themselves against ever-increasing attacks. The most common forms of these are email-based known as Phishing, SMS-based known as Smishing, and voice/telephone attacks known as Vishing.
Well-organised crime syndicates carry out different forms of social engineering attacks depending on their target. A generic Phishing campaign, which often has a low success rate, will target a huge audience of potential victims in an attempt to trick them into providing confidential data. Far more concerning is a ‘spearPhishing’ attack which is focused on an individual who has been researched using the internet and social media, enabling the cybercriminal to craft the most convincing communication possible to convince the victim to fall for the scam.
These sorts of campaigns may take weeks to prepare but they have high success rates. Cybercriminal syndicates will also go after specific business targets rather than an individual using the spear Phishing tactics to gain access to company systems, infect their networks with ransomware or trick employees into transferring money into their accounts.
According to the global research group ThoughtLab, which published the 2022 report Cybersecurity solutions for a riskier world, cyberattacks on companies and nation-states are not just increasing exponentially but are also being socially engineered in more sophisticated ways.
This highlights the need for increased cybersecurity awareness on all levels of the business. You cannot effectively safeguard your systems and data by just implementing software solutions. We know from the data that the human factor is critical. Employees need to understand social engineering methods and the psychology that makes it possible for cybercriminals to manipulate people.
Social engineers are adept at setting up a pretext where they can be trusted and then building their credibility with their target incrementally. A socially engineered attack can happen, not simply because a person was more gullible than they should be, but because they were psychologically manipulated to a high degree. In the end, the protection of your business involves having a cyber-savvy workforce.