Organizations of all sizes, across all regions, and all sectors face an evolving risk from cyber criminals. Because businesses have become increasingly dependent upon technology, cyber criminals have shifted from theft of physical assets to the theft of electronic information. The growing use of technology-enabled processes exposes businesses to cybercrime – from direct theft of data (leading to financial assets) to the theft of personal data (that can be used to assemble an attack on financial assets). Cybercrime can threaten processes from point of sale purchases by debit/credit cards in the retail environment, to ATM transactions in the banking environment, to e-commerce or on-line sales, and to electronic business communications.
Cyber criminals have shifted their focus away from pure technological attacks and have increasingly attacked employees through techniques used to manipulate people into performing actions or divulging confidential information. Security is all about knowing who and what to trust. It does not matter how many locks you install if you trust the person at the gate lets in criminals. In the cyber world, the weakest link in the security chain is the human operator who accepts a person or scenario at face value. Thieves target this vulnerability. Securing hardware and software are relatively easy; it is the employees within an organization that sometimes fall prey to cyber attacks.
Criminals exploit human emotions (such as fear, curiosity, the natural desire to help, the tendency to trust, and laziness) to bypass the most iron-clad security measures and gain access to systems. The success of such schemes does not rely upon sophisticated technology. The success of these schemes depends upon human error. These schemes are one of the most difficult crimes to prevent, as it cannot be defended against through hardware or software.
Because there is no technology to protect against social engineering attacks, organizations should implement good security protocols. In order to build defenses against social engineering attacks, organizations need to design and implement comprehensive security practices:
- Training Programs: Companies should invest in security training programs and update their employees on security threats.
- Policies and Procedures: Well-defined policies and procedures provide guidelines for employees on how to go about protecting company resources from a potential cyber attack. Strong policies should include proper password management, access control, and handling of sensitive user information.
- Risk Assessment: A risk assessment helps management understand risk factors that may adversely affect the company and track existing and upcoming threats. Determining security risks helps enterprises to build defenses against them.
- Security Incident Management: To manage the incident, the help desk must be trained to track (among other things) the target, their department, and nature of the scheme. Such protocols will enable a company to actively manage the risk of the breach to mitigate potential losses.