Halloween has long been a time for dressing in disguise and celebrating all things dark and spooky. Today, it also marks the beginning of peak season for cybercriminal activity. With more holiday shopping forecast to take place online this year than ever before, greater numbers of employees across industries working from home, and the usual seasonal activities and distractions, 2020 may end up being a banner year for cyberattacks.
The ghastly and nefarious criminals responsible don’t need costumes. Instead, they conceal their identities with clever tricks designed to fool innocent employees into clicking on malicious links, revealing their account credentials, or otherwise giving bad actors a way into corporate networks, where they can do their dark deeds with impunity.
When cyberattacks rely on this sort of subterfuge, exploiting weaknesses in human psychology rather than technical hacking to gain access to accounts, systems and data, they’re initiating social engineering attacks. Criminals have employed these sorts of deceptive strategies since the dawn of the information age, but they still play a role in a majority of today’s data breaches. In the 2020 Verizon Data Breach Investigations Report, for instance, nearly half of reported breaches began with a phishing attack or the use of stolen credentials — more than twice the incidence of any other threat action.
This increase in social engineering attacks is only logical: as growing numbers of organizations deploy increasingly sophisticated technical controls, their users become the weakest link in their cybersecurity defenses. No matter how well educated, thoughtful or conscientious employees may be, it’s inevitable that they’ll make occasional mistakes. One accidental click is all it takes to give a bad actor an entry point into your environment.
Cybersecurity best practices to protect against social engineering attacks
We recommend a two-part strategy for combatting the threats posed by social engineering attacks. The first essential component is implementing an employee education or security awareness training program.
An effective security awareness training program is one that’s mandatory for all employees, where individual participation is tracked, and where additional follow-up education is conducted with employees who have clicked on malicious links in the past or otherwise demonstrate that they might benefit from it. It’s essential that the company’s leadership understands the importance of the program and wholeheartedly supports it.
It’s also important to develop procedures for responding to social engineering attacks, and clearly communicate them to employees. A “report phishing” button can be configured to appear in Outlook and allows you to designate someone in the IT department to investigate the reported threats.
Second, you’ll need to establish appropriate technical controls to keep the majority of phishing emails from ever reaching your employees’ inboxes. Most social engineering attempts are poorly targeted; these attacks rely on sending large volumes of email from spoofed domains in the hopes of tricking a few unsophisticated users
Implement email filtering that blocks malicious content from any newly registered domains as well as domains that are close variants of your company name, and you should have the basics covered. Make sure that your web content filtering solution will work for remote users who aren’t located behind the company firewall. A solution that leverages an agent installed on all company-owned endpoint devices to enforce web filtering policies is a great choice for use in today’s work-from-home IT environments.
Cover your bases with robust logging and monitoring in the security operations center (SOC)
By nature, humans are fallible. That’s why it’s essential to collect logs that will capture unusual activities taking place across your network and implement security monitoring to ensure that anomalies can be detected quickly. If a team of expert security analysts is monitoring your network, they’ll be alerted if any logins from unusual IP addresses, or odd locations outside of the company, take place. With rapid detection, it’s easier to find the email that was the source of the problem and reset credentials on any affected user accounts — and to do all of this fast, before attackers have time to engineer a full-scale data breach.
Would your employees be taken in by today’s most sophisticated phishing attempts? Schedule a custom-tailored threat assessment with our team of experts to find out today.