Yes, Cybersecurity is increasingly difficult to tackle for most of the organizations. It is even harder for small and medium enterprises. Even though technical solutions can help your organization being more effective into countering cybercrimes and espionage, the problem can often be pinpointed within the human factor.
When we try to evaluate the security of an organization, on of the first thing that a security specialist is going to say in its analysis is that the security of the whole is as strong as its weakest link. And the weakest link is almost always the people working with you.
Social Engineering: It’s Still the Main Problem
The term “social engineering” can be understood as the “hacking of the mind”. It is a method which implies the psychological manipulation of people. This manipulation is done with the main goal of pushing people into performing actions or divulging confidential information without understanding they were doing something wrong, security wise.
On the surface, you might think: “for sure, it will never happen to me. I am not that dumb.” Well, I have bad news for you. It is not a matter of being ‘dumb’ or not. It is rather a matter being in a system, and is usually part of many steps in a more complex fraud scheme. Let me explain this.
Humans tend to organize their social activities into structures. An example of a really simple structure is the relationship between a boss and his employee, or the relation between a teacher and his students. I am part of a structure, and, even if you want it or not, you are too.
Within that structure there are systems. Those are essentially the codes and rules used to understand how you must function within a structure. For example, a teacher is usually standing ups in front of the class, while the students are sitting down in the rest of the room, facing the teacher.
The social engineer is a master at understanding systems, and structures. In other words, this is a skill used to obtain information in a way that is not perceived by the target, because the attacker is using the same codes and rules that the target would assume to be in a given situation. In other words, the social engineering might take place, and you would not even know it, because it would be an almost normal situation in your daily routine.
For example, you could be working in an office. Someone is calling you and ask to talk to one of your coworkers. Of curse, it is the wrong number, and you inform the person on the line that it is the case. He seems confused apologize for his mistakes. He then politely ask you to help him by giving him the right number, so he won’t make the same mistake twice. Of course you give him the right number, because you want to help the poor guy.
Well, you just gave that person a piece of information; a phone number. It might not seem important in the grand scheme of things, but you must understand that the social engineer’s job is to gather some pieces of information to have all the pieces of the puzzle. He is then able to analyze and understand who is doing what in a business and then pick the right target in other types of attacks; attacks that might involve computer related tactics like malware, phishing, and spear phishing.
Your Vulnerabilities Are Your First Line of Defence
The hard cold fact is that, unfortunately, the human is at the same time your weakest link on the cybersecurity frontline. The best example that we currently have is related to the current wave of crypto-ransomware attacks that is raging through the health industry, particularly in the hospitals.
Usually, that malware can only be activated by luring users into thinking they are opening legitimate files through email. This kind of scam is almost as old as the Internet is, but it is still working, because it is based on the principles that a user in an office will receive many files in a normal day of work. So opening them is not abnormal.
You see? Structure and systems.
So, yes, the human is your weakest link, but it is also your first line of defence in this complex security environment. That being said, if your employees are your first soldiers to face a lot of security threat – not only scheme created by cybercriminals – don’t you think it might be a good idea to train them accordingly? I’m pretty sure you would be against the idea of sending soldiers on the front without proper training. Well, it is the same thing with your staff. Train them accordingly and they might win your company a couple of battles in this never-ending war against cybercriminals.