Beware of innocent-looking emails appearing to come from trusted employees or vendors. All too often CxOs are but a click away from a malware infection. All employees are now vulnerable to this trickery as hackers have put a special emphasis on human resources and finance departments. Looking to steal financial information, hackers now use data gathered on social media to construct detailed emails that imitate top executives. Recently they’ve even started encrypting important data and charging a ransom to unlock it.
Gone are days of the mass emails with misspelled messages written by Nigerian princes. Aided by social networks, today’s cyber-criminals conduct reconnaissance to exploit personal information and craft targeted emails. CxOs need to lead the way by initiating multiple defenses against the millions of social engineering attacks launched daily.
Businesses need to construct a “Human Fortress” to create a better defense. HR management needs to ramp up staff awareness systems while CFOs continue to guide decisions around infrastructure, security and risk mitigation. Defending against today’s social engineering attacks requires an increased emphasis on employee focused systems teaching everyone to think twice about clicking on suspicious emails. It is no longer enough to install infrastructure and system defenses.
Spear phishing exploits often break into one executive’s account to observe their communications and then construct carefully crafted emails sent to their contacts. When the message relates to a familiar subject or has a familiar attachment, it drastically increases the chances of infection. Using this method, hackers obtain access to W2s, passwords and other sensitive data.
Targeted social engineering attacks are difficult to combat without effective security awareness systems that begin by encouraging employees to use a set of acceptable social network rules. Once these policies are in place, good employee behavior needs to be reinforced so they trust their instincts when viewing suspicious email –even if it appears to come from friends or co-workers. A quick phone confirmation before sending employee or financial records can eliminate the anguish of remediating a breach.
Teaching staff to pay attention to the details of messages from inside and outside the organization will increase awareness. Reviewing the origin email address, the address for the reply as well as the tone of the email will thwart many attacks. An email that demands an immediate wire transfer or a swift answer to a confidential question should be vetted by a manager or security team member.
Security awareness systems teach employees to detect and stop social engineering before it compromises security, operations and profits. When looking at options consider on-demand, personalized online training about security basics such as spam, spear-phishing, spoofing and malware hidden in files. Specialized sections for handling sensitive information, mobile device and credit card security as well as ransomware are effective for employees with specific functions.
Companies of all sizes are seeking out effective security awareness systems that include random testing through simulated phishing attacks. Individuals who need additional help will be directed to review the education module before receiving more random simulated attacks. Continuous instruction and simulated testing are key to changing human behavior and keeping the staff abreast of the latest threats. New employees should go through the system immediately after starting rather than waiting for them to “catch up” to the next all-staff instruction.
Successful hackers try to stay ahead by inventing new ways to breach network security making anti-malware, carefully configured firewalls and other protections necessary. Creating a “Human Fortress” through the effective use of a security awareness system helps employees to remain vigilant and turn the wolves away from the door.