Why is it important to focus on protecting your organization from social engineering attacks? And what is the connection between information security and expanding your circle of customers? Here are four tips to help make sure your organization does not fall victim to the next cyberattack.
It’s no secret that hackers have done well out of COVID-19. According to FBI data, in the first months of the Corona outbreak there was a 400% jump in the number of attacks in the US, with high figures continuing throughout 2020. Similarly, according to a recent Interpol report, there has been a dramatic jump in attacks around the world. It is therefore critical to put in place 360-degree protection at your organization, to ensure that there is no vulnerability that a hacker could exploit.
Here I offer you four tips which tend to be overlooked for avoiding vulnerabilities, while also giving you a business advantage.
Emphasize cyber awareness education throughout your organization
In 2020, 22% of all successful attacks were phishing or social engineering attacks. In July 2020, the headlines were filled with news of hackers infiltrating the Twitter accounts of some of the most well-known personalities in the world, including past and present US presidents Barack Obama and Joe Biden, and technology giants Elon Musk, Bill Gates and Jeff Bezos. Applying what professionals call ‘social engineering’, – a term used to refer to a type of attack that exploits human nature, such as enticing a user to download an attachment or click on a link – the hackers took advantage of the human weakness of Twitter employees.
The attack on Twitter made the headlines because of the high-profile personalities involved. But attacks like this happen all the time, without attracting the media’s attention. In fact, nearly a quarter of all successful attacks in 2020 were phishing or social engineering attacks. Therefore, one of the most important things you can do to protect your organization is to educate your employees – but there’s more to this than sending out occasional emails reminding people not to click on suspicious links. In order to truly protect your organization from social engineering attacks, you need to systematically create organizational awareness about information security, and conduct regular training, proactive phishing campaigns and more. This is especially important in times such as these, when we are increasingly working from home, and each employee becomes their own CISO.
2) Check your customer interface points
Organizations typically shy away from customer education and are generally less aware of how their customers expose them to security risks. This creates loopholes in an organization’s information security. It is especially important to consider this if your organization has systems that are used by customers who connect to them by entering a username and password on a web page. In systems of this type, it is very important to maintain a strong password policy. Similarly, when we give customers access to our organization’s server environment, if we have not restricted access to the environment, or even completely separated the environments that are only accessible internally from those that are accessible externally, this could serve as the entry point for a hacker.
Of course, it’s not always easy to explain all this to customers, and we don’t want to burden them with too strict a policy. Sometimes, the solution is to hire an outside company to test the system and make a recommendation – it’s harder to argue with the advice of a third-party security company!
3) Apply strict standards when dealing with vendors
This is a two-way tip: when choosing vendors, make sure they meet strict information security standards; at the same time, when you are acting as a supplier to your customers, make sure your own organization meets strict information security standards – this way you will both be protected and also more attractive to your customers.
Suppliers are a potential exposure point for your organization, so when choosing who to work with, it is important to make sure that they meet strict information security standards. For example, if it’s an organization that collects customer information, it is important to check that its databases are registered. In general, it is advisable to conduct a vendor survey, and make sure not to expose your organization to places over which you have no control.
On the other hand, it is worth conducting periodic internal inspections to ensure that your own organization meets strict information security standards. Not only does this help you to prevent the next potential attack but, when customers enquire about your own standards, it can also give you a relative advantage over your competitors. This is especially true if your customers include large organizations in the fields of finance, insurance and health, or when you look to the markets in the US and Europe where information security standards and regulations tend to be strict. For example, an organization offering services to the health sector that works according to the HIPA standard has a relative advantage over its competitors.
4) Make sure that external exposure of your organization’s assets is controlled and filtered
Every organization has an external and internal infrastructure that is used by employees and customers. It is very important to ensure that external exposure of your organization’s assets is subject to control and filtering. Your internal network is even more sensitive, so it is important to use internal organizational protection measures to prevent malicious individuals who physically come to your premises from harming the organization’s assets. To discover weaknesses in your infrastructure and prevent potential breaches before they occur, you could even perform infrastructure penetration testing.
We are already long after the initial shock of Corona, but the new normalcy of living alongside Corona requires us to continue to change and adapt our form of security to this new way of life. As we all know, prevention is better than a cure. This is why I have focused my tips on how to prevent the threat of attack ahead of time.
By Doriya Galam, Offensive Security Team Leader & Information Security Project Manager, 2Bsecure, Matrix