The Human Element of Security

In the last 10 years security software has advanced tremendously and it has increased our ability to defend against cyberattacks. In response to this many hackers have decided to bypass the traditional methods of hacking and choose to exploit the human element of a business, it’s employees. Most employees aren’t very security conscious and this can be used by hackers to deceive them into performing all sorts of actions that can be harmful to your business. The human element of security means training your employees on being aware of the cyberattacks designed specifically for them.

According to Verizon, as much as 93% of data breaches involve some type of social engineering. This means that more than 9 out of 10 data breaches were caused not because of an error by the security staff or a failure of software, it happened because an employee of the company was tricked into doing something they weren’t supposed to do. At first glance this can be very discouraging because you can invest thousands or millions of dollars and still have a data breach due to user error. But that’s the wrong way to look at it, this should be a warning of why you need to invest in security awareness training for your employees on top of the technical solutions. To do this effectively you need to understand what social engineering is and how employees are typically targeted. What is social engineering? Social engineering is the psychological manipulation of an individual into performing actions or divulging confidential information. The most common type of social engineering attacks is a phishing attack, which is where someone pretends to be someone credible and tries to pressure the user into performing an action that will give the attacker information or access to the company network, usually over email. Spear phishing takes the same concept but makes it more convincing by tailoring the message to the individual person. Attackers will gather information from publicly available sources like social media and use that to figure out who your friends are, your job title, your interests and any other piece of information they can use. Then they will send you an email tailored to you so much that it will seem legitimate and this makes it all the more difficult for users to identify the email.

Source @ purevpn However, this isn’t the only type of social engineering attack there is. There is vishing and smishing, which is where an attacker will call you pretending to be someone else or send you a fake text message in order to trick your employees into doing something malicious. Social engineering can even extend beyond the cyber realm, tailgating is another common issue companies face. This is where someone will wait for an employee with an access card to open a door and then follow behind them into the building. It takes advantage of the fact that many people want to be polite and don’t want to ask someone to stop and scan their own card.

How serious is social engineering?

Social engineering is an extremely common and extremely effective attack. Approximately 97% of users fail to identify a phishing scam, as much as 66% of malware that is installed is delivered through the use of an email attachment and according to the FBI phishing is the third most common scam regardless of company size, industry or location. In all likelihood this trend is going to continue and it’s important that employees receive the proper training so that they can identify these social engineering attacks whenever they occur.

Good security awareness training should prepare employees to recognize phishing attacks and should include regular phishing simulations. These simulations will make sure that employees are taking the training seriously and it gives you a way to measure the effectiveness of the training by seeing how many employees can recognize the phishing emails afterwards.

How to get more free content

If you like this article and would like to read more of our content for cybersecurity insights, tips and tricks feel free to follow us on our social media. If you’re a struggling business owner who needs help in assessing their business’s cybersecurity posture feel free to take advantage of our free introductory assessment and we’ll help you figure out a game plan for keeping your company safe.