Fighting the threat of social hacking [Q&A]
Often the weakest link in an enterprise’s cyber security is the person behind the endpoint. Although technology solutions can offer a high degree of protection, there’s no substitute for making users aware of the potential threats.
Social engineering attacks are increasingly used to try and catch out employees. Education on cyber security is therefore something that's being taken seriously by businesses of all sizes. We spoke to Scott Youngs, CIO of infrastructure solutions and managed services company Key Information Systems to find out more about the threat and how education can help beat it.
BN: Is security a major factor in companies turning to managed service providers?
SY: Many companies come to us when they want to improve the efficiency and reliability of their IT operations, and need an enterprise-grade data center at an affordable cost. Other factors, including enhanced security and compliance are high on the list of reasons why we are seeing more and more companies turn to managed service providers (MSPs) for their IT needs. Ultimately, many security problems are the result of human error within internal staff, which is another major reason these businesses are opting to outsource to an MSP. With a dedicated outside team providing extra levels of redundancy, clients have improved oversight on sophisticated IT challenges, as well as peace of mind with a cavalry during fire drills.
BN: When it comes to cybersecurity, what are some of the main concerns you hear from your clients?
SY: Most of our security conversations always start off with a basic firewall discussion, with companies looking to put a firewall in place and hope for the best. However, a lot of companies have little understanding of how large the security issue really is or the work and dedication behind securing their IT. When we start to explain the process -- the firewall, anti-virus, anti-malware, DDoS protection, data encryption on the backside technology, they get pretty overwhelmed. Since security comes up in most every conversation these days, many clients have started asking the next big questions: 'Are you HIPAA certified? Are you compliant with Sarbanes-Oxley?' However, we caution clients that they are the ones who must be compliant, and we can work with them to make this happen.
BN: What exactly is social hacking?
SY: Social hacking, or social engineering, is one of the types of attack that can occur completely out of the control of the IT department, which is alarming. Hackers try to gain access to restricted information without the proper permission by taking advantage of human nature. Many hackers can infiltrate companies using false credentials or impersonating an individual of trust or importance, such as a CEO or CFO from a partner. For example, a hospital employee may receive an email from someone claiming to be the CFO, with an email that has one letter off in said CFO's name, urgently requesting an invoice containing sensitive information. In a rush, the employee may not realize that one letter is different in the 'CFO' email address. She sends off the info, and the hacker has achieved his goal. Hackers are betting on this, and it’s hard for employees to say no to people of authority, like a boss, when it comes to giving out information.
Social hackers can also disguise themselves as a Facebook friend or Twitter follower, allowing them to extract personal information from a profile or posts. The hacker then uses this information to gain the trust of that individual, ultimately enabling them to gain access to a password or information they have no business knowing.
BN: Which industries are seeing these types of attacks?
SY: We have seen derivatives of social hacking like spear phishing emails and ransomware in all types of industries. For example, there's been a lot of press on the medical industry being hammered with these types of attacks. Just last year, the US Department of Health & Human Resources breach report showed that data from more than 120 million people had been compromised in more than 1,100 separate breaches at organizations handling protected health data since 2009. That is alarming. There is so much harm that can be done -- not just to the hospital, but to people's lives and privacy. If our hospital clients are storing medical images or records and a doctor can’t make a diagnosis because he can't make a medical call on the spot because a CAT scan image is encrypted by ransomware or otherwise locked or unavailable, there could be very serious ramifications. The amount of damage is immeasurable.
BN: What can businesses do to educate their employees on social hacking and how to avoid these types of attacks?
SY: The biggest message to stress is that you cannot pay minute attention to the social side of security. You have to focus on it just as much as you do on IT and security vendors. There are so many things that companies can do to prevent these types of attacks. Here are a few ways:
- Make frequent backups and test that they’ll work in an emergency, or automate the process. If a system is held hostage by ransomware, a recent backup or ongoing disaster recovery mechanism can help avoid paying ransoms.
- Teach employees to question everything and never give out any confidential or seemingly confidential information. (Most legitimate IT or financial companies will not ask people to give out confidential information over the phone or in an email exchange.) Companies are surprised at how many cyberattacks occur because of this oversight.
- Mandate proper disposal of sensitive data, whether it be shredding a credit card receipt or deleting digital information. Consider a company-wide process for data disposal in place, and have employees sign something stating that they understand the process and will follow it closely.
Again, the most important thing to remember is that this does not fall solely on the shoulders of the IT department. With the growth of strategies like social hacking, it is the responsibility of the entire staff to ensure that business data is secure.