CIOs And The Problem Of Social Engineering

Social engineering is how the bad guys get employees to say too much
Social engineering is how the bad guys get employees to say too much
Image Credit: Alexandre Formagio

So let’s pretend for a moment that you’ve switched sides. You are now a hacker that is trying to break into your company’s network because you understand the importance of information technology, want to get money from your company, or do something else that you really should not be doing. How are you going to go about making this happen? In the old days, you’d create a malicious piece of software and then try to smuggle it into the company so that it could do your dirty work for you. However, hackers have since moved on. These days they use a more sophisticated attack: social engineering. As the CIO are you going to be ready to defend against this?

What Is Social Engineering?

So just exactly what is this thing that we call “social engineering”? Social engineering can mean many different tings, but in general it happens any time that hackers trick employees into sharing information that will help the hackers to find vulnerabilities in the company’s networks so they they can launch an attack. So how do the bad guys go about conducting a social engineering attack on your company? We all know about the sophisticated phishing attacks that have been carried out in the past few years. However, now the hackers are making phone calls where the hackers are able to trick employees and get them to hand over account passwords or private information over the phone. There have been cases where employees have been tricked into wiring money to overseas bank accounts controlled by the bad guys.

These days it turns out that social engineering is one of the easiest to use tools that can be found in a hackers toolbox. It turns out that all of the information that they need to conduct an attack like this is now available to them online for free. The reason that it is all there is because companies have started to put more personal data online. This has opened the doors for less technical hackers to start to launch attacks against your company.

Studies have shown that these days roughly one-third of all hacking attacks start with some form of social engineering attack. Five years ago this number was roughly 19%. Social engineering attacks that choose to use a fraudulent business email to try to trick an employee into providing too much private information are now believed to be responsible for US$12.5 billion in losses.

How Can A CIO Counter Social Engineering?

There is some good news here, sorta. It turns out that the reason that social engineering is becoming such a big deal is because software companies have been making major investments in their products in order to make them more secure. At the same time, consumers have been moving a great deal of their data into the cloud and both of these events have made hacking the old fashioned way less effective.

So why do social engineering attacks work? It turns out that social engineering attacks rely on something caused psychological authentication. When a worker receives an email with the name of their boss in it, this causes a very large emotional response in them. It turns out that social engineering is based on that emotional response. As an example of just how effective techniques that tie into this are, it turns out that phishing emails have 10 times the click-through rate of standard marketing emails.

What can a CIO do to stop social engineering attacks on his or her company? Education about social media has to become a priority. Emails have to be sent out about new scams as they are detected. New hires have to be educated about social engineering. Another step is to factor social engineering training into employees compensation plans. Employees who do well on phishing tests can get a bonus, employees who consistently fail them may be let go.

What All Of This Means For You

CIOs need to understand that the types of threats that their company is facing are changing. The old days in which the bad guys tried to sneak bad code into your networks have not gone away. However, a much more insidious threat has emerged: social engineering. As CIOs we need to understand this threat and we need to come up with ways to defend against it.

Social engineering is an attack in which the bad guy reaches out to one of your employees and attempts to talk them into handing over confidential or personal information that can then be used to attack the company’s networks. The reason that social engineering attacks have been on the rise is because companies have started to put more and more company information online. These days most attacks against your company’s networks will start out with a form of a social engineering attack. Companies have made their software more secure and people are moving their data into the clouds and so it is becoming harder and harder for the bad guys to get to it. Social engineering attacks work because when a worker receives an email from a senior executive, it causes an emotional response that the bad guys use to get what they want. CIOs can stop social engineering attacks on their company by making sure that everyone is educated about the threat.

In the end, it’s going to be up to the person with the CIO job to shut the door on social engineering attacks. Most employees will stop responding to these types of threats if they are able to spot them and if they know what to do when they see one. Since the threat keeps changing, its going to be the job of the person with the CIO position to make sure that everyone keeps getting updated about what the threat looks like. Stay on top of this one and your company will be safe from social engineering attacks.

– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: What kind of punishment should an employee receive if they fall for a social engineering attack?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

When your IT department creates a new website for users to access, how do they go about securing it? If you are like most IT departments, you require users to make use of a unique username and a password. That password may be a bit complex: it has to be so long, must contain upper and lower characters, has to have a special character in it, etc. However, we keep reading about hackers who are able to guess people’s passwords and gain access to sites. What should a CIO do to stop this?