One of my favorite websites is https://www.bbb.org/scamtracker. It is a place for people to go and report scams they have been taken by, involved in or seen first hand. It is also an amazing place to keep up with what is popular in the "Scam Arena".
One of THE largest things businesses fail at is defense against Social Engineering. I have written about it many times, I have a feeling most people in a position of leadership are very polar regarding these posts. I see either "I agree 100%" or pushback (insert 100 reasons here).
I wanted to take a different approach today, and share one of my favorite websites to underline a point I think many in the business world are missing. That point is, your employees are human. They fall in love, they probably don't get paid enough, they get lonely, they love dogs, they have hobbies. Right now my guess is most are going to give the shoulder shrug and say, no s**t Gary.
Defense against Social Engineering isn't as simple as some filters, a quarterly phishing exercise by IT, computer based remediation and having a "report phish" button in your email provider. It is however what has been pushed in the market, or maybe even what the market thinks they need. It's easy to deliver, it's low overhead, reusable, in short, it makes cyber security companies money. It's also a low cost option to implement on your own, but both options give your company a VERY false sense of security. If these methods are effective, then why do we continue to observe a compromise rate exceeding 80% for companies due to social engineering attacks??
Let me give you another no s**t answer, It's not effective.
The next logical question would be, when a company is looking to harden their security, or ensure the company and its assets are safe, why does the 80%+ way in get less that 10% of the attention?
Your company, most likely doesn't exist without your employees, whether that is a solopreneur, one employee or 10,000. Each one of those employees can either be a undertrained liability, or a well trained asset in your companies security. When your employee leaves for the day, or logs out, many companies require them to answer their phones, check their emails, be available for after hour meetings, wake up at 3am for (insert important reason here). Lines blur between the professional and personal world, it never is nor has been simply "on and off", some are better at boundaries, some are much worse. However, humans, as we discussed earlier, do other things than work. Which means, those same humans, don't live 24/7 behind your company firewall. Those same humans don't have a "report phishing" button and don't receive computer based remediation when they click on something they aren't supposed to while at home.
No my dear CISO, those humans carry that malware, from uploading the wrong thing on their phones, into your building. Or, because they are human, use the same password for their bank account as they do for work. Which just so happens to have been stolen since they weren't trained properly on what a scam other than your quarterly phishing exercise looks like.
Humans do human things, that also means other more nefarious humans know what to take advantage of. Do you know what is the most lucrative scam in the world right now? Romance. People will meet others online, and be scammed out of thousands of dollars, every single day. Ask yourself, do you think people are more likely to give someone a password, or give them $5,000? Hopefully you guessed door number one. Sharing your screen with someone you have "fallen in love" with? Giving them access to your netflix account? Your cell phone number, address, birthday, middle name? The links between a human's personal life and professional life blur in all aspects, not just the professional ones we all think of. To believe that your employees are only targeted at work is due to ignorance at best, or negligent at worst.
I shared the website because I wanted to show the sheer volumes of people that get taken advantage of every single day. Someone that works for/with you has been a victim. Investing in people, providing them the proper training and follow up at work, not only helps your company, but helps your employees. It is an investment that could save your company, millions. It's also an investment in your people, that could save them much more than just their feeling, their livelihood and not to be dramatic, but their lives. Yes, scams go wrong, people die, it literally ruins lives. To the person getting taken, your company is an afterthought at that point.
I can write another article entirely on what happens "after" the scam. Imagine, you fall in love, and that person ends up stealing from your company, with your credentials? Will they believe you didn't do it? Even if they do, will you have a job when it's over? The FBI could get involved if the theft is large enough or out of state/ country, your computer might need to be logged for evidence, or a copy made of the HD at the very least? Sound fun so far? Starting to sound more like someone may just be quiet and not say anything and hope it goes unnoticed, after all, they can always say "OH? I must have been hacked, I didn't know!"
Companies need to do better, investing in the area that is the most likely avenue to a breach, should be a priority, not an afterthought. Organizations need to understand that the weakest link in their security is the people, they also need to understand those same people are the most unprotected when they are not at work. Training your employees in the defense of social engineering, not just emails at work, but all manners of it is imperative for security.
There is a great byproduct to all of this that most other fascists of security don't yield. If you do it right, you are investing in your employees, it shows them you care about their personal well being, as well as their professional. Humans genuinely, act better, have lower turnover, work better as teams, create a better culture and the quality of work increases when they feel invested in. Those same humans also are significantly more likely to trust that a company will believe them, take their side, or help them in the event something happens to them. All things your organization should want in an employee.
The significance of investing in your employees and empowering them with the expertise and resources to counter social engineering attacks simply can't be emphasized enough. It's often alluring to prioritize solutions like firewalls, antivirus software, and intrusion detection systems while inadvertently sidelining the human factor, because frankly, "tech sells". However, it is imperative to recognize that your employees form the very essence of your organization. They are not just components of the corporate machine; they are unique individuals with different lives, strengths, and vulnerabilities that all exist beyond their work roles.
By acknowledging that human element, you open the door to a profound realization, one where your employees possess the potential to either amplify your security defenses or inadvertently introduce vulnerabilities. Neglecting their security education is akin to leaving your organization's gate wide open to malicious actors. On the other hand, by investing in your employees' awareness and capabilities, you can transform them into vigilant guardians of your company's digital fortresses.
These employees become invaluable assets in safeguarding your organization. They not only bolster your defenses against phishing scams, impersonation attempts, and other social engineering ploys but also serve as vigilant sentinels in both their professional and personal lives. That awareness begins to extend to protecting sensitive company data, detecting suspicious activities, and even recognizing potential threats outside of the workplace.
By preparing your organization to defend against all aspects of Social Engineering, you will create a culture where trust, empowerment, and the individual's value in the broader sense flourish, ultimately giving you a more secure, productive, and harmonious workplace.
Comments