Social Engineering Attacks: Considerations for SMBs

Sep 22, 2020

When most people think of someone hacking their business, they picture sophisticated cybercriminals infiltrating the network, breaking password protocols, and penetrating the firewall. Although that can happen, it’s very rare. Instead, social engineering is behind most cyberattacks, from high-profile data breaches at the largest corporations to ransomware and other attacks that many small and middle-market businesses (SMBs) fall victim to each year.

This kind of cyberattack doesn’t take a lot of money or sophisticated equipment to carry out, but the result can be quite costly for businesses. In 2020, data breaches cost companies on average almost $4 million per incident, according to the global IBM Security Cost of a Data Breach Report. Of the 17 industries surveyed, healthcare had the highest average total cost at $7.13 million.

Common Social Engineering Attack Vectors

Hackers can access a company’s sensitive information through a variety of social engineering techniques: faking the identity of an authorized user, guessing login credentials by mining social media profiles, or even boldly walking into the office and sitting down at an unsecured workstation. The three most common methods of trying a social engineering attack on an SMB are:

Email — This indispensable business tool is valuable to would-be hackers, too. Many businesses are working harder to train staff to watch for potentially fraudulent emails, but it’s still an extremely successful attack vector — partly because it’s so easy to make an email appear to be coming from someone other than the true sender.
Telephone — Phone calls are another common tactic. The caller pretends to have a legitimate request for access to systems or information, and if the recipient complies, cybercriminals can gain the data they seek.
Physical access — In this tactic, hackers pretend to belong somewhere, such as a bank, an office, or a restricted-access area like a server room. If it works, they can get into the network using their own equipment or through an unattended workstation (even easier, since it’s probably already logged in). Once in, they’re free to steal, delete, or corrupt data as they like, or to install viruses and malware that infect the system.

Why Does Social Engineering Work?

Psychology is key to a successful social engineering attack. People don’t want to get in trouble, and they are curious by nature. For example, an email attachment claiming to offer tantalizing information — the salaries of everyone at the company, perhaps — is nearly irresistible. If the document carries malicious content like a virus or ransomware, just one click can put the entire network at risk.

Similarly, a bad actor posing as an IT auditor with an urgent request to test the safety of employee passwords is often successful; nobody wants to be the person who quibbles about protocol, holding up important work that makes the whole company safer. By exploiting either of these two basic human traits, hackers can bypass even the most sophisticated and carefully planned security systems.

Prevention Starts with Training and Testing

Individual behavior is what allows hackers in or keeps them out, so when it comes to thwarting social engineering attacks, training and testing are the two most effective prevention strategies.

Frontline workers need to understand how to recognize when something is out of the ordinary and how (and when) to report it. But while knowing what to look for can help people identify potentially risky situations, it’s also crucial that they know exactly how to respond.

Every business should have a written policy detailing protocols for verifying the identity of callers, email senders, and in-person visitors. For example, if an email contains any red flags at all, recipients should know to contact the IT department using a familiar number or help desk email address — not via a number or link included in the email — to verify that it’s legit (and do this before clicking on links, downloading attachments, or responding to the email).

It’s also critical that the training includes simulations and practice sessions. After all, it’s one thing to understand the policy in theory, and quite another to react appropriately when it’s happening. The goal is to impart a healthy skepticism in all members of the organization, so that they become comfortable and confident following established procedures in real-world scenarios.

Frequent white-hat social engineering testing is another imperative. This allows the company to identify vulnerabilities, whether that’s a particular attack vector (e.g., email requests or a sensitive location that needs more security) or specific individuals who need more training. Those who fail a test need to know that they failed and receive retraining and coaching, until it becomes automatic to follow established procedures before taking any action that could open the door for hackers.

In addition to training and testing, businesses can adopt tech-based strategies to help stop social engineering attacks. Companies that run their own mail server should implement some type of third-party protection tool that can scan incoming mail for viruses and malware. Some businesses go so far as to forbid attachments completely unless they go through a secure method of transfer, such as a file share platform that ensures the validity of each attachment. And for physical threats, camera systems can send an alert to those responsible for information security when someone enters an area with servers or other sensitive equipment.

The First and Last Line of Cybersecurity Defense

Tools like these can reduce risk, but don’t make the mistake of thinking they’ll provide adequate protection or make up for human error. Cybersecurity experts like to say that in social engineering, your people are your first and last line of defense. Training and testing (and retraining, if necessary) really are the keys to preventing a successful social engineering attack.

Cybercrime isn’t going away, but you can mitigate the risks of social engineering with effective training, testing, and tools. Contact the cybersecurity professionals at CRI for help keeping your business safe.

Social Engineering Attacks: Considerations for SMBs

Sep 22, 2020

Common Social Engineering Attack Vectors

Why Does Social Engineering Work?

Prevention Starts with Training and Testing

The First and Last Line of Cybersecurity Defense

Relevant insights

BSA/AML Model Validation: Understanding Expectations and Balancing Reality

At Long Last, GASB Approves Financial Reporting Model Improvements

To Lobby or Not to Lobby: Understanding Your Association’s Rights

Taxable Advertising or Nontaxable Sponsorship?

After the Standards: A Guide to Everything Else in a GASB...

Enhance Your Technology Tool Kit for Improved Productivity

Essential Governance Policies for Effective Associations

Avoid the Shock of a Surprise Tax Bill

It Figures Podcast: S5:E1 – CECL Lessons Learned and Opportunities Ahead

What Is an Internal Audit and Can It Benefit Your Organization?

Don’t Jeopardize Your S Corporation Status

The Critical Role of SOC Reports in Nonprofit Operations

GASB Pronouncement Effective Dates: Post-GASB 95 Revisions

Treasury Urges Congress to Settle 831(b) Captives Issue

Federal Deposit Insurance Corporation Improvement Act (FDICIA) Requirements

Understanding the New Employee vs. Independent Contractor Classifications

Global Internal Audit Standards Resource

Inheritance Unplanned: The Unexpected Impact of Taxes on Families

How Should School Districts Report Charter Schools?

Resource: Identifying and Reporting Charter Schools as Component Units

Are Charter Schools Component Units?

IRS Continues Pursuit of 831(b) Micro-captives in Tax Court Wins

Governmental Accounting & Auditing Omnibus

The Importance of Diversifying Your Customer Base

Discovering Your Business’ Value

Are Your Social Security Benefits Subject to IRS Taxation?

From Red Carpets to Tax Returns: The Versatile Roles of Accounting...

Pooled Income Funds Benefit Both Donor and Charity

Understanding the Implications of the House Committee’s Tax-Exempt Review

Introduction to the Global Internal Audit Standards

How Have Fraud Risks Changed?

5 Things to Remember About Substantiating Charitable Donations

Stay Vigilant to Reduce the Risk of Occupational Fraud

Crafting an Effective Nonprofit Document Retention Strategy

Ensuring Financial Integrity in Church Operations

Nine Questions About GASB Statement 102 on Risk Disclosures

State Tax Considerations for Insurance Companies

How to Be Prepared With a Business Continuity Plan

Real-Time Results: How Dashboards Can Help You Move Your Small Business...

Demystifying Deferrals: Illuminating the Intricacies of State and Local Government Accounting...

Key Discount Factors for 2023 Unpaid Losses in Insurance Companies

Fundamentals of Business Valuation: The Income Approach

Fundamentals of Business Valuation: The Market Approach

Optimizing Tax Benefits in Multi-Family Properties with Cost Segregation

Fundamentals of Business Valuation: The Asset Approach

2024 Cost of Living Adjustments Resource

IRS Issues Standard Mileage Rates for 2024

Loan Modifications Quick Reference Guide

Beneficial Ownership Reporting FAQs

New Beneficial Ownership Reporting Rules for Small Business

More Tips for Translating GASB Standards into English

Recent IRS Update: Postponement of Form 1099-K Reporting Threshold

Don’t Get Ready for Fiscal Year-End. Stay Ready.

Why Should You Consider a Sample Credit Card Agreement?

Key Insights for Employers on the Employee Retention Credit

Adapting to the IRS’s Electronic Filing Requirements

Help Your Business Finish Strong with These 10 Year-End Tasks

Faithful Finances: Crafting Credit Card Policies for Religious Organizations

Understanding the Hospitality Industry Audit Process

Unlocking the Value of Your Business, Part II: Post-Sale Considerations

Unlocking the Value of Your Business, Part I: Pre-Sale Considerations

5 Savvy Black Friday Shopping Tips to Put In Your Bag

EV Tax Credit Eligibility Flow Chart

Energy Tax Credits Table

QBI Deduction Flow Chart

Tax Implications of Debt and Equity Financing

Ensuring Franchise Success through CPA Expertise

Tax Alert: IRS Releases 2024 Inflation Adjustment

Financial Institutions – Year-End Accounting and Risk Management Update

How Does Industry Affect Fraud Risk?

You, Too, Can Set Accounting Standards

Networking for a Cause: Utilizing LinkedIn for Nonprofit Success

Cost-Effective Fraud Protection

Discovering Your Business’ Value  