Tips for Avoiding Socially Engineered Data Breach

A hefty IT budget, high-end security tech, and a roomful of analysts often cannot stop a well-crafted social engineering hack. Instead of exploiting a gap in hardware, hackers target humans to gain access to network data. It is called social engineering.

In 2013, Target Corporation suffered a brand-damaging hack that pilfered the personal information of more than 40 million customers. Investigation of the data breach found hackers gained access through a heating, ventilation, and air conditioning (HVAC) vendor who worked with Target. The third party vendor was the target of a phishing attack.

Phishing is a practice whereby bad actors pose as legitimate business or personal interests to convince an employee to engage in an action. The action might be providing access to a network, or clicking a link that launches malware used to orchestrate an electronic invasion.

A recent report from cyber security vendor Proofpoint describes three types of opportunistic social engineering:

  • Large-scale online campaigns, advertisements, and emails that encourage and entice users to click links, download documents, or disable their anti-virus protection in order to provide or receive fake information.
  • More targeted efforts attempt to trick employees into providing passwords, temporary access, or other means into an otherwise secure network. In a recent, high-profile case, a hacker telephoned the U.S. Department of Justice (DOJ) stating he was an employee unable to access the DOJ network. He was provided a code that gave him access to contact information for employees of the DOJ and Federal Bureau of Investigation (FBI).
  • Individual, well-researched attacks on company officers, or administrative staff, which create a façade of legitimacy convincing enough that employees arrange large transfers of cash, or data, without question.

When data breach is caused by malware, most victims mistakenly infect their own computer, and possibly its larger network. Clicking on a survey, checking out an engaging story, or downloading an informative document can easily give hackers access to business or personal data.

Consider these important tips for protecting yourself from social engineering attacks:

1. Use the technology: Engage cyber security professionals to assess your network platform and practices. Use anti-virus software, filters, anti-phishing capabilities, and firewalls and create standard procedures for handling email and incoming communications.

2. Security awareness: Ongoing training is critical in order to create and maintain a culture of security awareness. Through intranets, electronic newsletters, weekly security tip sheets, and in-house social media, be sure employees are actively offered topical and timely information on recent scams, frauds, data breaches—and how they might recognize and respond if approached online. Offer training and updates on current phishing schemes, inviting language, and offers used to encourage the download of malware. Educate yourself—and your workforce—to build and support data and brand safety.

3. Physical security: Being cautious while walking or talking still matter. In your workplace, or any secure building, do not get tailgated. When you let another person, willfully or unintentionally, into a building for which only you have security clearance, it is called tailgating. Through the front door, or the loading dock, unauthorized personnel can quickly create a safety or data danger. On the telephone, even when you are in a rush, do not give out, or confirm, personal information to an unknown party—either at home, or at work. Be wary of unsolicited technical support calls.

Last tip? If you find a flash drive on the ground in the parking lot of your workplace? Throw it away without first running it on your computer.

While you can secure your network, and your third-party vendor connections, it is far more difficult to manage human curiosity—the prime target of social engineering.

When you are concerned about electronic or physical security and assessment, speak with an expert in security consulting.