We live in a digital age with high-tech solutions everywhere. Yet cyber threats to business continuity don’t just come from vulnerabilities in machines, but in people too. Social engineering (a strange term that simply means ‘conning’ people in this context) is one of the most effective techniques that hackers and cyber criminals use. In fact, it’s often much easier for them to play confidence tricks on people to get confidential user and password information, than to try to break the latest encryption software.
‘Social engineers’ use human emotions to get each victim to react in a way that gives them access they should never have.
- Laziness. We’re not just talking about failure to define strong computer passwords or resist the temptation to write them on a sticky note on your PC. Sometimes trust is in fact laziness in disguise. Allowing the pizza delivery person to roam internal corridors or holding a security door open for someone who ‘seems to have forgotten their access badge’ are examples.
- Guilt. Pressure to react in a certain way after an accident or taking pity on someone who is apparently in distress are instances here. The difficulty is in deciding whether or not a case is genuine, and social engineering criminals know that piling on the pressure and urgency (“I’m bleeding!”) is a good way to fluster victims. A similar technique is distraction, where a receptionist’s attention is diverted momentarily so that a would-be intruder can glean information on names or phone numbers from the internal directory.
- Greed. Something for nothing always has a strong attraction. Victims are asked to provide an email address, click on a link or download what appears to be an innocuous file. Hackers then use one employee’s email address to guess others, make the link go to a web phishing page, or attach a virus to the download file.
While you make your business continuity plans, consider building in procedures or solutions that will avoid human characteristics like these becoming a ‘single point of failure’ for your organisation.