Businesses of all sizes spend a great deal of time and resources on IT security, and rightly so. Data is everything in today’s digital world, and protecting it is of paramount importance. A recent study from anti-virus software makers Kaspersky Labs found something surprising, though. The greatest threat to data today isn’t traditional hacking. It’s social engineering attacks.
What are Social Engineering Attacks
Simply put, social engineering is a con job. A bad actor (that’s by the dictionary definition, not in the late night sci-fi movie sense) communicates with an employee and tricks them into granting access to sensitive data.
In other words, it’s pure trickery. A social engineering attack occurs when someone buys your employee a few drinks and talks them into revealing your client list. Or when someone sends an email pretending to be a “new guy with IT” and convinces an employee to giving up passwords, so their computer can be “optimized”.
It’s a tough problem. The best lock in the world doesn’t do any good if the wrong person has the key. The Kaspersky report concluded that 42% of confidential data loss directly involves employees, and the majority of those incidents are due to social engineering.
How to Defend Against Social Engineering Attacks
IT security training is part of the answer. Every employee, not just IT personnel, should have a basic awareness of IT security principles and best practices. Educate your people about concepts like phishing (an email that attempts to trick the reader into giving up sensitive data) as well as putting in place policies to combat social engineering attacks.
Kaspersky found that many employees feel that IT security isn’t part of their job description. They figure that the IT department has it handled, and tend to be lax in their own security habits. That’s not sustainable, of course, because technology can only go so far. Humans have become the weakest link in the IT security chain in many cases, and constant vigilance is the only solution.
What IT Can Do
The IT staff themselves also need to stay educated. They should be aware of the latest malware and other threats. If a new phishing email is making the rounds, IT should send a company-wide memo informing all employees of the risks and potential damage caused by falling for the scheme. Even the most obvious, poorly constructed scam only needs to trick one person to succeed, and the consequences of a data breach can be catastrophic.
Just as important, IT should maintain strict monitoring and control of user access to the internal network. All access should be logged, and logs should be regularly reviewed. Any unusual access, such as from a new and unfamiliar IP address, should be investigated promptly. IT should implement strict access policies, and only grant rights and privileges as needed.
On the employee side, any unusual incidents need to be reported to IT immediately. If an employee does accidentally click that funny-looking link, they should file a report right away. Providing a few examples of famous data breaches and the damage they caused can be a powerful motivator for employees to stay vigilant.
Maintaining data security takes cooperation between IT and the rest of the company. IT can implement policies, monitor access, and install protective software. The truth is, though, it’s all for nothing if the other employees don’t keep their brains turned on. Humans are the biggest variable in any technological equation, and keeping security education up to date is just as if not more important than the latest software patches.