Abstract Background
Human Hacking Banner
Posted on DEC 15, 2016

Social engineering: don't fall victim to human hacking - part one

Part One of a Two‐Part Series

When it comes to keeping your business safe, your first thoughts may go to corporate cyberattacks that have been widely publicized. Indeed, cyberattacks are a major problem for businesses. Addressing these threats costs U.S. firms an average of $12.7 million annually. But sophisticated online attacks are not the only way that criminals infiltrate U.S. businesses. The most vulnerable component in businesses is often not technology—it's people. In fact, the three largest areas of vulnerabilities your employees face on a daily basis are in‐person, via email and by phone. Part one of this two‐part series will identify in‐person threats and provide you with steps to secure your business.

In‐Person Threats Remain a Danger

”Many people forget about the physical threat of stealing company information,” explains Dave Gorr, Vice President of Investigation and Corporate Security at Johnson Financial Group, and retired FBI agent. “Especially in the Midwest, where people are so trusting, it is amazing how often a person can misrepresent themselves and gain easy access to a business.”

Criminals looking to steal sensitive information and other company or personal assets rely on poor security protocols to commit crimes undetected. They do this in a variety of ways:

  • Walking right in – As simple as it sounds, often if someone walks into a business with a purpose and acts like they belong, employees may be less likely to question them.
  • Tailgating or “I'm with this guy” – Some fraudsters will walk in close proximity to an employee entering the business, seeming to belong by association.
  • Impersonation – Criminals may pretend to be a vendor or service provider such as an exterminator to gain access to your facility.
  • Dumpster diving – Make certain that non‐public information is securely disposed of. Implement a shred policy and partner with a trusted vendor who will provide a certificate of destruction.
  • Seeking employment – Fraudsters gather information and insight during the interview process. Companies tend to lower defenses when dealing with potential candidates.

Employees are the first line of defense in recognizing in‐person threats to your business. Security training for employees is vital, but often overlooked. “Many employees are taught to perform their jobs, but are not given the resources or training when it comes to keeping the business safe,” says Gorr. In general it involves security awareness training, developing a security policy and periodic testing.

Adding to the threat businesses face is the downsizing of companies. Many no longer have receptionists, who often help to identify people coming in and out of the building. And few businesses are able to have a dedicated security officer. “In many companies people are wearing many hats, and security is one aspect that can easily fall by the wayside,” explains Gorr. “But there are steps that every business can take to improve security and minimize risks.”

Four Steps to Secure Your Business

  1. Perform a security audit – The first step in securing your business is performing a security audit. Security audits should ideally be conducted by a third party. “Almost 98 percent of companies are challenged with physical breach failures,” says Gorr. “But through awareness you learn where you need to improve security and what you need to teach your employees.”
  2. Identify your weaknesses – Security lapses can come in many forms. Many businesses don't use badges or card access systems for entry. Even those with such systems may not be working if employees regularly leave doors unlocked allowing individuals to walk around freely. “Even today people will keep passwords taped to their monitors or under their keyboards, which is just another reason to know who is in your building,” says Gorr.
  3. Create a security plan – Use what you've learned to create new policies and procedures that minimize the threat of in‐person criminal activity. Educate your employees about security threats and the steps you are taking to combat them.
  4. Make security a priority – Employees have many competing objectives and priorities, sometimes causing procedures and safeguards to fall to the wayside. “A security plan must be reinforced and supported by leadership and management,” stresses Gorr. “It's not something that you can just train for once and let it go.”

Security As an Asset, Not an Expense

When it comes to your business, it's easy to look at security as an added expense and treat it accordingly. But this way of thinking allows for security to be an item that is minimized or forgotten during tough times. Instead, consider your company's security as a valuable resource protecting your brand and your business.

“It has to be a conscious choice for the company to address security concerns, and decide that it's important to continue to develop and enforce a security policy,” says Gorr. “All it takes is one security breach, not only from a financial aspect but also reputationally, to have a potentially catastrophic effect on your business.”

A Look Ahead

When protecting your business it's easy to focus attention on preventing sophisticated online attacks, but often the most vulnerable component of any business isn't technology—it's people. In part two of this two‐part series, we'll examine five ways to reduce your risk from remote threats executed via email and phone.