Negligent Employees And Their Vulnerability to Social Engineering

Overview

Cybersecurity professionals have reported for years, that most security breaches that they have to fix usually originate from negligence of one of the employees. Weak, lost, and forgotten passwords, irresponsible internet surfing, clicking on malicious links (in phishing emails), providing sensitive information to unauthorized people (acquired via social engineering tactics), all of this non-vigilant behavior poses threats to the integrity of an organization.

Social Engineering and Data Exfiltration

Social Engineering includes manipulative methods used to acquire otherwise unreachable information from people while disguising as a trusted authority in electronic communications.

Phishing emails usually contain malicious links that may lead to fake login pages that impersonate authentic webpages. When an non-skeptical user casually enters sensitive information on such sites, it is stolen by the attacker.

The damage however isn’t limited to credential theft. These malicious URLs sent to employees through malspam campaigns may lead to webpages or compromised websites dropping malware and payloads on the user’s device. They may also contain obfuscated payloads in PDFs or word documents which may lead to files encryption of your computer by a ransomware. Decrypting the files usually costs a high ransom in bitcoins.

How Does Social Engineering Work?

Cyber attackers aren’t genies extracting all your data by snapping their fingers. They are what they are; attackers. They need an entry point to intrude the premise of your business or organization. And well, with 500 people working in an organization come equal entry points, which means locking the gates wouldn’t do the trick. You need to train your employees to make sure the gates remain locked.

Attackers know how to manipulate internal employees, the people having access to the most confidential information of an organization, into providing confidential information.

This includes all tactics to manipulate users into giving out information, either by luring them into benefits, offers, free gifts and giveaways or by creating panic and haste through fake campaigns like “Bank Account Locked” etc.

The Scope of Social Engineering

Apparently, what percentage of cyber-attacks would you think is due to negligence of employees? Let’s have a look at statistics evaluated by experts.

The statistics below will make your eyeballs expand.

• “95 percent of all security incidents involve human error.” found IBM, the cybersecurity giant, back in 2014.

• According to research by Federal Computer Week cited in a Vormetric report, the greatest impacts of successful security attacks involving insiders are exposure of sensitive data, theft of intellectual property and the introduction of malware.

• According to Verizon’s “2013 Data Breach Investigations Report,” 95 percent of advanced and targeted attacks involved spear-phishing scams with emails containing malicious attachments that can cause malware to be downloaded onto the user’s computing device.

• According to the SANS Institute, 95% of all attacks on enterprise networks are the result of successful spear phishing.

• States the Webroot Threat Report, nearly 1.5 million new phishing sites are created each month.

• Intel reports that 97% of people around the world are unable to identify a sophisticated phishing email.

• According to a report, 78% of the security professionals think the biggest threat to endpoint security is the negligence among employees for security practices.

• Around 60 percent of businesses got trapped in a social engineering attack in 2016.

• IBM’s 2016 Cyber Security Intelligence Index reported that 60% of all the cyber-attacks in 2016 were triggered or caused by insider employees. (Of these, 75% were intended while 25% were due to negligence).

• Social Engineering is used as a vector in over 66% of all attacks by hackers, hacktivists and nation states, states an infographic by social-engineer.

• The same infographic mocks the reality of human skepticism. It says that 90% of the people will provide their spelled-out names and email addresses without confirming anyone’s identity, 67% will give out security numbers, birthdates and employee numbers, while their success ratio in physical breaches is 100%.

• The infographic further says: Clicking links in emails led to 88% of reported phishing scams. Also, 90% of all emails is scams and viruses.

Possible Consequences of Social Engineering Campaigns

• Social Engineering can be used to acquire an organization’s contractual information, employee details, client details and other confidential data, or it may be used to extract credentials or financial details of employees.
• It may be used to drop ransomware to encrypt the victim’s data and files in order to get a ransom payment.
• It may lead to Corporate Espionage.
• It may contaminate the integrity of an organization.
• It may cause bigger damages by disrupting some critical processes.

Employee Awareness Programs

Statistics reveal that most employees are lured into such fake offers and will not hesitate for a minute before clicking on a malicious link that says “Free trip to Hawaii” or “You’ve been selected as our new iPhone winner”. Such happily fooled employees are the weakest link in an organization’s cyber security.

Our team performed some social engineering activities on multiple employees of multiple organizations and achieved a collective end result of 86% success in users compromised, in the scenarios of Vishing, Phishing and Physical social engineering. The alarming stats immediately called for employee awareness programs.

Employee awareness programs are necessary to create awareness among employees about such scams and malicious campaigns. In order to avoid data breaches initiated by careless employees, ensuring a healthy password policy along with benign internet surfing habits is a necessity.

How to Cope With Internal Glitches in Your Organization

As mentioned above, in order to ensure maximum cyber security, employee training programs are inevitable in today’s cyber arena. Moreover, organizations should promote a culture of cyber awareness on all levels meanwhile keeping intact a healthy and resourceful IT department. The employee awareness program should enforce the following:

• Employees should avoid clicking on emails coming from untrusted sources.
• Employees must not click on URLs or email attachments coming from unexpected sources, even if they look harmless.
• Employees should not download software or files from random sources on the internet.
• Employees should maintain healthy internet surfing habits, and should not visit malicious websites.
• Employees should refrain from providing confidential information to anyone over emails, calls or even casual face-to-face conversation.
• Employees must not leave their devices unattended or unlocked, and should always be very careful about removable storage devices containing sensitive information.

Moreover,

• Organizations should monitor online activities of all of their employees and should enforce a strong data policy. This requires introducing consequences of policy violation to encourage a more responsible behavior by employees.
• Organizations also need to make this training practical, interactive and applicable.
• The training programs must include all employees, even if at different levels, according to their knowledge and job roles.