Trustwave published its Global Security Report for 2019, which reveals the changing face of malware and data breaches. For business owners and IT managers, what is most important is how cybersecurity strategies must change to stay ahead of advances in attack speed and stealth.
Social Engineering Attacks On The Rise
Among the most significant findings of the report is that one of the biggest categories of threats doesn’t begin with malware at all, but instead are “social engineering” attacks that manipulate users into allowing malicious software to be loaded or access to otherwise secure resources. In 2018, social engineering was the top method of initial compromise.
Phishing, in which a user is presented with fraudulent emails or websites that appear legitimate, is designed to trick a trusting user into entering their credentials. Once the hacker (or hacking software) has the legitimate credentials, it logs into the resource to do its damage.
If the resources are technical in nature, such as the email administrator, network administrator, or other computer resources, the hacker can destroy data, install or distribute ransomware, steal personally identifiable information (PII) for identity theft, steal proprietary business information, or cause other damage. If the resources are financial in nature, purchases can be made and bank accounts emptied.
Warning to Executives
A subset of social engineering and phishing attacks is causing enormous damage. “Business Email Compromises” (BEC) are emails that appear to be from one person within the company and are sent to another. According to a Verizon 2019 Data Breach Report, senior executives are 12 times more likely to be the target of BECs and social engineering attacks in general. And their success is based on two factors.
- The executives have access to vital company information and resources
- The senior members of a company tend to be older and less computer savvy
In this kind of an attack, a hacker sends an email to Executive A that appears to be from another Executive B, who has authority. The email requests that access be granted to a company resource. Executive A grants the request, and the resources become instantly available to the hacker. Other requests might include making a purchase, transferring money, or sending a payment.
Imagine the damage when the right person in the company receives an email like this:
- “Bob, Sally has forgotten her company email login information. Please reset her password immediately and send the information to her Gmail account.”
- “Bob, please give Kevin access to the accounting volume on our server.”
- “Bob, please reset my database password and send it to me asap.”
- “Bob, the routing and account number for the bank wire for Supplier A has changed. Please send our next payment ASAP to routing number 98764531 and account number 123456789.”
The recipient of this request doesn’t need to be an executive, but does need to have access to the requested resources.
How To Defend Your Company Against Social Engineering
Good endpoint protection can help to protect your users from receiving such emails in the first place. For example, emails that claim to be from your bank but don’t come from your bank’s email servers would be routinely captured by our cybersecurity systems.
But many of these emails don’t claim to be from a business. According to Trustwave, “84% of BEC messages used free webmail services for distribution, 12% used spoofed company domains, and 4% elected to employ misspelled or lookalike domain names to deceive recipients.”
And some social engineering threats don’t even arrive via email. A client of ours recently received a phone call from someone claiming to be an IT consultant, who directed the employee to grant the hacker on the line access to vital company resources.
Training Is The Key
Our Business Protection Toolkit offers many protections for your business, including strong Endpoint Protection, Behavior-Based security, real-time SIEM monitoring of your security logs, and more.
But all of them are strengthened by employees who are aware of the threats your company faces and how to detect them. Cyber Security Awareness Training is a critical part of any company’s cyber security plan, and we now offer it to all our cyber security clients.
In our training series, employees are taught to identify and prevent threats like these. They will be able to identify phishing emails, distinguish legitimate from illegitimate requests, and even detect malicious phone calls.
Get Protected
Data breaches, ransomware, stolen resources, access to bank accounts, and other cyber crimes can put a company out of business. No matter the size of your company, from sole proprietors to hundreds or thousands of employees, your business needs thorough protection. Talk to us about our Cyber Security services, including our Business Protection Toolkit, so that your business doesn’t become part of a statistic in next year’s cyber security report. Contact us online or call us at 213-398-8771.
