Read the original article by Steve Whiter, Appurity Managing Director, on teiss.co.uk
Social engineering attacks are big news
In recent months, Revolut, Twillo and Uber have all been successfully targeted. When large companies like these suffer security breaches and data theft, the consequences – both reputational and financial – are severe. And what these attacks tell us, above all, is that any business, no matter its size, vertical, or technological prowess, can afford to let its guard down.
What are social engineering attacks?
Social engineering attacks are a powerful weapon in any bad actor’s arsenal. They can take many forms, but essentially, social engineering attacks are acts of deceit through which the victim(s) are manipulated into sharing sensitive information or giving access to data and networks.
Phishing is the most common form of social engineering attack. Phishing attackers contact individuals through email, SMS messages, or even phone calls and social media, posing as a verified or trustworthy organisation, in an attempt to gain personal information such as banking details or account passwords.
These types of attacks are on the rise. The bad actors behind these attacks are constantly evolving, and their techniques are becoming more sophisticated. With that in mind, here are some cybersecurity protections your business can implement to help protect against social engineering attempts.
Security awareness training
With attackers targeting people as well as systems, businesses must consider how their security strategy protects the human – as well as the technical – element. Often, in fact, it is the human element of any security system which presents the most glaring weakness for attackers. If you’re looking for a strong, effective cybersecurity strategy, it’s no longer enough just to invest money in products and technical solutions. Your first and last line of defence is your people, and investing in their security awareness is an essential and proactive measure.
Security training is a useful way for your business to prevent and reduce user risk. In effect, training your people to detect and avoid threats is like building a secure human firewall. Security training should help your employees understand how they can protect the business against security breaches by better understanding the threat landscape.
Human error is by far the biggest threat to your organisation’s cybersecurity, and cyber criminals know this. During an Appurity campaign earlier this year to measure cyber awareness, 25% of law firm employees clicked on SMS and email phishing links that could have opened up their firm to a hack or data breach.
Security training should be considered as a routine, ongoing exercise. While one-off workshops can be useful, businesses need regular training to prevent employees from falling back into bad habits. And as cyber threats evolve at a rapid rate, working with a provider who can adapt your security training in line with current, industry-specific threats will add an extra layer of security to your cyber defences.
Device and application assessments
Device and application security is vital if businesses want to operate efficiently, meet compliance requirements, reduce risk, and improve trust with customers. Businesses should consider a full audit and security assessment of all their devices and applications to understand more about how they’re used across the business and identify any potential security vulnerabilities.
Since the COVID-19 pandemic, many businesses have adopted Bring Your Own Device (BYOD) policies. Others allow employees to use their personal phones to access business information or even install their own apps to manage their files, organise their schedules, or increase productivity. In these environments, it’s difficult to even know how devices are used across the workforce – and it’s even harder to ensure all devices, apps, and endpoints are secure. And if employees are downloading malicious apps on devices they also use for work, this is not only a problem from a security perspective, but it might also hinder a business’s chance of becoming accredited under cybersecurity schemes like Cyber Essentials Plus.
With a device and application assessment, a cybersecurity partner will be able to highlight any gaps or vulnerabilities in your workforce’s fleet of devices. Once your business has access to this information, you’ll be in a position to implement a remediation plan to fix the issues and strengthen your defences.
Secure all endpoints
Ultimately, all businesses need an impenetrable security solution in place to protect against cyberthreats. The first step is assessing your business’s infrastructure and understanding the threats coming from devices, applications, and your people. The final – and most important step – is implementing a plan that will protect your business in its entirety.
Forward-thinking solutions that adhere to concepts and frameworks such as secure access service edge (SASE) and zero-trust will help provide the peace of mind your business needs to operate securely and keep your workforce protected and productive.