Humans are the weakest link in the information security chain, and this issue was made worse by the COVID-19 crisis that forced many companies to adopt and then maintain at least a hybrid, if not completely remote, way of working.
Remote work is particularly vulnerable to threats
People and the systems they use are even more vulnerable at home than at work. We often use our own devices for work purposes, we are no longer covered by relatively well-protected corporate computer networks and, from a purely human point of view, in the home environment we tend to drop the usual safeguards that may have been instilled in us by a certain organisational culture in the office.
Like everyone else, hackers usually take the path of least resistance. Why bother hacking into complex computer systems that may be extremely well protected, when you can hack a person and get access that way?
We are all only human
Unless someone is a psychopath or sociopath, as a normal human being they’ll react to the world around them according to certain laws that nature has built into the brain over the hundreds of thousands of years of evolution. In order to survive and evolve, we have developed mechanisms that make us naturally social beings. We are thus capable of empathy and sympathy, and we like to help people in need because we expect that others will help us when we need it, too. In general we believe that other people are essentially good, because that’s how we see ourselves.
Why is social engineering effective?
In this context social engineers, who are really nothing more than criminals with a fancy name, tend to exploit the following five psychological triggers:
- Greed. Who wouldn’t want to make a quick buck? Especially if someone has found out that a recently deceased bank manager had the same name as you, and they can withdraw around USD 10 million from the dead man’s bank account and offer you 10% if only you’ll send them some details…
- Curiosity. “I love you” read a famous email that contained a virus. Who wouldn’t want to open such an email and find out who their admirer was?
- Urgency. You get an email that says your inbox is running out of space and unless you click the link right away you won’t be able to send any more emails. Does this sound familiar?
- Willingness to help. Criminals often take advantage of major tragedies and people’s willingness to help, such as by raising funds that never end up where they should.
- Fear. You receive an email in which MasterCard, for example, says that someone has used your credit card and you need to re-validate it.
Good social engineers can turn all these triggers to their advantage. Although it sounds like a well-earned and prestigious title, a social engineer is actually a manipulator, which sounds far less flattering.
And sadly, as much as we’d like to believe otherwise, not everyone has good intentions.
Who is vulnerable? Everyone.
There’s an interesting thing we often encounter in companies. The company management often considers directors, managers, and maybe those in the finance department as critical users, forgetting about all the other staff, such as door attendants, administrative assistants, even the cleaners.
But these people also have access to the company’s IT resources. If not in the form of a username and password, then physically. And there’s not a hacker in the world who wouldn’t love to have physical access to servers.
To give a concrete example: a company is deciding how many licences to buy for an email security service, and their thinking is to focus only on the directors, managers and finance department, the people who make the important decisions.
But this is a big mistake, as all users who have their own inbox need to have their email protected.
What do we offer?
- We simulate a social engineering attack as part of a penetration test. We can perform typical scenarios with an email, phone call or a physical intrusion attempt, where we play the role of a postman, security guard, or internet service provider employee, among others.
- We provide training to raise your employees’ awareness of the dangers of social engineering, teaching them how to identify and effectively repel attempts at such manipulation.