Cybersecurity: Mitigating Risk from Social Engineering
April 15, 2022
Yes, I know, social engineering sounds like a rehabilitation program for robots who want to integrate into mainstream society. Or could be a title from an early 90s sci-fi movie. The reality, however, is that social engineering is the term used for a very real threat in today’s cyber world.
Our previous blog highlighted how, bringing the informational technology (IT) systems and operational technology (OT) systems together, has become a necessity accelerated by the pandemic and how this has posed an increased risk for exposure to cyber threats. Although bringing these technologies together provides an opportunity to improve working efficiency, it is very clear that leaving critical process data vulnerable to a cyber attack is a huge risk to the business and supply chain. Potential vulnerability lies with each individual email address. Considered a ‘domain account’, an email address logs you into servers, computers, and systems across sites. It is effectively one account, one password and access to almost everything. But it’s not all bad news. There are some simple actions that we can all take; a proactive defence against cyber attack.
Social Engineering and the Cost of Data Breach
According to IBM’s Cost of a Data Breach Report for 20211, the average cost of a data breach is $4.24 million and per this report, it took an average 287 days to identify and contain a breach. And the biotech industry is not exempt either. Key pharmaceutical companies were targeted during the pandemic, confirming that we as an industry need to remain alert to this real-world challenge.
Social engineering is considered one of the most effective modes of cyber attack. Through social engineering, cyber-attackers can gain critical information, like passwords or bank information by exploiting the flaws of their victim. This is sometimes done through the art of “phishing” where an attacker might pose as a safe source and request personal information like login credentials, social security numbers etc.
How many of us would love to win a million dollars? I mean, to be honest, if I received an email saying that I’ve won a million dollars, I’d report it as phishing and call it a day. But what if you received an email asking for you to update your Microsoft password? Might seem a little less “phishy”. You know your IT department has everyone change their password every few months, so this does not seem anything out of the ordinary. You decide to click the link where you are prompted for your existing password and type in your new password twice. Seems alright, you guess. So, you enter in your existing password followed by your new password and click on “submit”. Everything seems fine. You might even get a banner on the webpage that says, “Your password has been changed successfully!” Unfortunately, you don’t even realize that your password has been compromised. Now, the cyber-attacker has already found your personal email on a social media site and because you’ve used your common password for both personal finances and work, your bank account is also compromised. Sadly, this can happen.
But let’s say you’re now working on a critical process for work from your home. Now that the attacker has access to your account, they can also access that critical information too! All of this mess just because you clicked on a seemingly harmless link embedded in an email. Clicking that link and providing a little information could give an adversary all they need to compromise your accounts.
Seven Tips to Counterattack Social Engineering
Here are a few tips and tricks to avoid a social engineering attack and to save you and your company millions of dollars!
1. Use a unique password for work accounts separate from your personal accounts.
This one is a little more obvious based on the example, however, using the same password for all your accounts makes it easy for someone with malicious intent to access everything that you have. If your password gets stolen, it can be used to access all of your existing accounts.
2. Check the authenticity of the sender before opening the email and clicking on hyperlinks.
Ask yourself, is this email from outside of my organization? If inside my organization, is the email formatted in a way that I’ve seen before? If you’re unsure, think twice before opening. Consider sharing this email with your IT department before proceeding further.
3. Ensure that multi-factor authentication is enabled for all of your accounts.
Multi-factor authentication might have prevented the above scenario from getting worse. Although you chose to still click on the link from the seemingly safe email and provided your information, the cyber-attacker might not be able to gain access to your accounts because they won’t have access to your secondary factor for authentication. This might be the authenticator app on your device or even a secondary pin that hasn’t been shared with the attacker.
4. Spread the word!
It is extremely important to make everyone aware of the consequences of sharing critical information like passwords, social security numbers, etc. It takes only one employee to provide their information to take down a whole organization. By sharing information on what to look out for and exploring ways to prevent attackers using social engineering from being successful, together we can stand strong against malicious intent.
5. Set your spam filters to high.
A spam filter analyzes emails received by reviewing the sender, the content, its attachments and ultimately searching for anything that might seem out of the ordinary. Any content considered a threat is blocked. Using this filter helps prevent malicious emails from making their way into your inbox.
6. Use that “Report Phishing” button.
Your email provider might have a “Report Phishing” button where you can report an email that made its way to your inbox as a phishing attempt. The “You’ve been selected to win a million dollars,” email fits perfectly here! This will send the message to your email provider and will help their team develop an updated filter to prevent such emails from hitting your inbox again.
7. Encrypt emails that contain confidential information.
This isn’t available through every email provider, however, by choosing encryption emails can be ‘sent securely’, which lowers the chances of a cyber-attacker gaining access to the sensitive data stored within your emails.
Small actions have a big impact. Follow these seven tips and make a stand against social engineering.
Our next blog takes a closer look at cyber control mapping (ISO 27001) and standard IEC 62443 for Operational Technology in automation and control systems.
- Sort By