Expert tips to protect your organisation from ‘people hacking’

91% of Cyber-attacks start with an email, and the people in your organisation are your weakest link.

Companies are being attacked by malicious cyber criminals with more frequency and sophistication than ever before, said Jenny Radcliffe – aka ‘The People Hacker’.

Speaking that the Mimecast 2016 event, Radcliffe explained that these attackers are becoming more adept at getting people in organisations to help them circumvent security controls.

“Security technologies are becoming more and more effective, and as a result, social engineering attacks are becoming more complex than ever before,” she said.

Social engineering is aimed at exploiting people as the weakest link in the information security chain.

“People are easier to hack than technology is, and we are seeing a new breed of attackers who appear to be trained in psychology.

“They are using that to get people in organisations to help them circumvent security controls.”

This approach can take many forms, including physical access to buildings, email phishing and telephone calls to engage insiders and build trust relationships.

How social engineering endangers your security

Social engineering attack planning typically involves building a profile of the target organisation and its employees.

Hackers use sources such as corporate websites, industry forums and social media sites, including Facebook, Twitter and LinkedIn to gather information.

“Attackers will then seek to build a trust relationship with an individual or individuals within the organisation over a longer period – even up to six months,” said Radcliffe.

This makes it possible for attackers to identify the easiest way in and to manipulate employees of an organisation to help them gain access to the information they seek.

“Because it is not a technical attack, attackers don’t even necessarily need technology to hack a person,” Radcliffe added.

“In some cases, hackers will bump into your employees in the real world, by tracking where they socialise after hours, for example, and build a relationship with them in person.”

Tips to protect your people and your organisation

These attacks can cause huge financial losses and could cost you your reputation and your business, so Radcliffe’s first tip is to admit that your organisation is vulnerable.

“It can happen to your company too,” she warned. “If you deny that this could affect you, you have painted a huge target on your back.”

She adds that the human element has always been a major vulnerability, and people have always been the quickest way in.

“For this reason, people need training and they need to understand that the attack will be personal to them.”

Most staff do not consider security to be their problem, rather believing that the IT team is protecting them from cybercrime.

“But each employee is a conduit and a way in, so you need to drop the culture of blame and instead create a culture of awareness,” she explained.

“Culture will determine the type of attack you will get, and if you have a culture of blame, fear will be used to get into your organisation.”

Radcliffe advises having ‘security moments’ in meetings where people can bring their own stories and start a narrative, as this will engage them in the process.

“You will get a lot of complaining, reluctant feedback and false positives, but it is a good start and this costs nothing to implement,” she said.

Also ensure that employees are wary of any new acquaintances who attempt to build trust very rapidly.

“Train your employees to be wary of anyone who seems particularly easy to talk to and who seems particularly interested in them, their jobs and their organisation,” she added.

“They should be trained to be careful about what they disclose and how they co-operate with outsiders.”

Employees should even be wary of job offers from unknown people who are keen to discuss their current role, experience and areas of expertise.

This is one way attackers can use to engage employees of an organisation to find out what kinds of information security systems are deployed.

Protecting your email from phishing

Considering that 91% of hacking attacks begin with phishing or spear-phishing, are your defenses ready?

It can take 229 days before your business realizes it’s been breached, and that’s a dangerously long time for cybercriminals to have access to your customer’s private information.

Your organization can’t afford a disruption to business operations — breaches cost millions and destroy reputations.

Even with training, 23% of phishing emails are still opened, so protecting the company against human error is a top priority.

Mimecast Email Security services are a critical defense to protect against advanced threats and data loss.

Mimecast solves critical email security issues with:

• Targeted threat protection
• Spam and multi-layered malware protection
• Secure messaging and encryption
• Data leak prevention
• Secure large file sharing

The Mimecast cloud-based service means always-on, always up-to-date protection without the complexity and cost of traditional offerings.

Added benefits of email cloud services provided by Mimecast include flexible and granular email security controls.

For more information, visit the Mimecast website.