Trustwave published its Global Security Report for 2019, which reveals the changing face of malware and data breaches. For business owners and IT managers, what is most important is how cyber security strategies must change in order to stay ahead of the advances in the speed and stealthy methods of the attacks.
Social Engineering Attacks On The Rise
Among the most significant findings of the report is that one of the biggest categories of threats doesn’t begin with malware at all, but instead are “social engineering” attacks that manipulate users into allowing malicious software to be loaded or access to be given to otherwise secure resources. In 2018, social engineering was the top method of initial compromise.
Phishing, where a user is presented with fraudulent emails or websites that appear legitimate, is designed to get a trusting user to enter their credentials. Once the hacker (or hacking software) has the legitimate credentials, it logs into the resource to do its damage.
If the resources are technical in nature -- such as the email administrator, network administrator, or other computer resources -- the hacker can destroy data, install or distribute ransomware, steal personally identifiable information (PII) for identity theft purposes, steal proprietary business information, or do other damage. If the resources are financial in nature, purchases can be made and bank accounts can be emptied.
Warning to Executives
There is a subset of social engineering and phishing attacks that are doing huge damage. “Business Email Compromises” (BEC) are emails that appear to be from one person in the company and sent to another person in the company. According to a Verizon 2019 Data Breach Report, senior executives are 12 times more likely to be the target of BECs, and social engineering attacks in general. And their success is based on two factors.
- The executives have access to vital company information and resources
- The senior members of a company tend to be older and less computer savvy
In this kind of an attack, a hacker sends an email to Executive A that appears to be from another Executive B, who has authority. The email requests that access be granted to some company resource. Executive A grants the request, and the resources become instantly available to the hacker. Other requests might be to make a purchase, transfer money or send a payment.
Imagine the damage when the right person in the company receives an email like this:
- “Bob, Sally has forgotten her company email login information. Please reset her password immediately and send the information to her Gmail account.”
- “Bob, please give Kevin access to the accounting volume on our server.”
- “Bob, please reset my database password and send it to me asap.”
- “Bob, the routing and account number for the bank wire for Supplier A has changed. Please send our next payment ASAP to routing number 98764531 and account number 123456789.”
The recipient of this request doesn’t need to be an executive, but does need to be someone with access to the resources being requested.
How To Defend Your Company Against Social Engineering
Good endpoint protection can help to protect your users from receiving such emails in the first place. For example, emails that claim to be from your bank but don’t come from your bank’s email servers would be routinely captured by our cyber security systems.
But many of these emails don’t claim to be from a business. According to Trustware, “84% of BEC messages used free webmail services for distribution, 12% used spoofed company domains and 4% elected to employ misspelled or lookalike domain names to deceive recipients.”
And some social engineering threats don’t even arrive via email. A client of ours recently received a phone call from someone claiming to be an IT consultant, and directed the employee to give the hacker on the phone access to vital company resources.
Training Is The Key
Our Business Protection Toolkit has many protections for your business, including strong Endpoint Protection, Behavior-Based security, SIEM real-time monitoring of your security logs, and more.
But all of them are strengthened by employees who are aware of the threats your company faces, and how to detect them. Cyber Security Awareness Training is a critical part of any company’s cyber security plan, and one that we now offer to all our cyber security clients.
In our training series, employees are taught how to identify and prevent threats such as these. They will be able to identify phishing emails, the difference between legitimate and illegitimate requests, and even malicious phone calls.
Data breaches, ransomware, stolen resources, access to bank accounts, and other cyber crimes can put a company out of business. No matter the size of your company, from sole proprietors to hundreds or thousands of employees, your business needs thorough protection. Talk to us about our Cyber Security services, including our Business Protection Toolkit, so that your business doesn’t become part of a statistic in next year’s cyber security report. Contact us online or call us at 818-913-1335.