In today’s environment of rampant data breaches and ransomware attacks, the focus often turns to hardware and software solutions. These are a vital part of any organization’s defenses, to be sure, and should be regularly maintained and updated.
In most cases, however, the biggest threat to an organization’s cybersecurity standing is not in a computer, but in a chair. In a 2023 report, Verizon noted that human error played a role in nearly three-quarters of all cyberattacks. Those errors are often the result of social engineering.
What is social engineering? Essentially, it’s manipulating someone to gain their trust. Social engineering takes many forms including phishing and smishing, among others. To use an analogy, you might have secure locks and a top-grade alarm system protecting your home, but none of that will matter if you willingly let a burglar come in through the front door. If hackers can fool you into sharing credentials or clicking a malicious link, the best cyber defenses may not help.
Social media is a frequent starting point for social engineering attacks. A bad actor can easily learn someone’s name, job title and organization from LinkedIn, for example. If they dig a little further, they might learn that Robert goes by “Bob,” and that his spouse’s name is Linda, making it easier to either impersonate Robert in an email to someone else, or to target Robert directly. This exploitation often plays out over time as the hacker gains the victim’s trust.
One of the challenges here, of course, is that in many cases an organization can’t really control what its employees do on social media. They can and should, however, train employees on common tactics used by hackers and best practices to avoid becoming a victim. These include:
Lock it down: Double-check privacy settings on social platforms to make sure you’re sharing information only with friends or other contacts and not the general public. That’s not foolproof, but it’s a start.
Watch what you share: Never share an email address or other contact information on social media. And you’ve heard it a million times, but it bears repeating: No one from any legitimate organization will ever contact you to ask for your login details.
Use MFA: Yes, it’s a bit of a pain to enter that code that just got texted to you. It’s also a huge help in securing your accounts. And again, no legitimate entity will ask you for that code.
Slow down: Were you expecting that attachment from someone you don’t often interact with? Did HR really contact you to ask for personal details? Pick up the phone and confirm. Is there a link to click? Hover your cursor over it and carefully look at the URL it points to.
Ask questions: Did a stranger contact you via social media or email referencing a mutual friend? Or did someone reach out to help you resolve an account issue you weren’t aware of, for example a password reset? Both are red flags, and there are many others.
A little cynicism and caution can go a long way in protecting your organization – and yourself – from social engineering attacks. And remember that training your team on these matters is an ongoing process. The tactics used by bad actors are constantly changing, and so should your defense strategies.
Questions about this or other cybersecurity issues? Contact Hill Tech Solutions.