Employees: the weakest link

Social media allows hackers to research their targets. PHOTO: THINKSTOCK

As manufacturers invest in cutting edge technology to protect their networks and digital assets from cyber attacks, hackers are targeting people instead of technology to gain unauthorized access to networks.

Cyber criminals are relying on social engineering and using various techniques (e-mails, telephone calls, impersonating other individuals) to manipulate employees into divulging sensitive information including usernames, passwords and credit card data.

Many of those targeted are aware they are disclosing information but fail to recognize its value and how providing it can seriously compromise the entire organization.

Easy access to personal information on social media platforms such as LinkedIn and Facebook allows hackers to research their targets (full name, birth date, job title, favourite activities or sites they visit) and use that information to gain their trust and confidence.

The most common tactics include:
• Phishing. The attack may come as an e-mail that appears to be sent by a legitimate business (bank, airline) requesting verification of information. The e-mail warns failure to take action will result in some dire consequence, such as the deactivation of an account or financial penalties, but clicking on the link gives the hacker access to the network or other sensitive information.
• Pretexting. The cyber criminal impersonates co-workers or other individuals, organizations or agencies (such as banks or police) who the victim perceives to have authority or right-to-know. Pretexting relies on an elaborate lie based on prior research and the use of this information for impersonation (date of birth, social insurance number, last bill amount) to establish legitimacy.
• Baiting. This technique follows the mechanics of phishing but a criminal will promise the victim an item or reward in exchange for certain information, such as log-in credentials.
• Tailgating. Hackers will usually target small to mid-size businesses that lack robust security measures (key card access) and will pretend to be an employee (or a new employee). A cyber criminal may impersonate a janitor, gain entrance to the premises and access confidential information or steal documents.
What steps can your company take to ensure employees are ready to meet this threat? Here are three defences that are quickly implemented:
• Training. Have specific policies in place that assume your employees will be targeted. Include specific rules for e-mails, web browsing, mobile devices and social networks.
• Regular refreshers. Training is not a one-time event. Have regular, focused sessions with employees about different types of social engineering techniques. Organizations with regular employee churn should conduct more frequent refreshers and training sessions.
• Testing. Training and refreshers are great but how do you know employees are prepared? Consider retaining a third party to test staff with table top exercises and/or unannounced penetration exercises.

Educating employees on the technological, social and psychological aspects of social engineering establishes an integrated defence consisting of knowledgeable staff, up-to-date cyber security policies and frameworks, and effective incident response protocols.

Imran Ahmad, a lawyer at the Toronto law firm Cassels Brock & Blackwell LLP and member of the firm’s privacy group, develops and implements strategies related to cyber threats and data breaches. Katherine Thompson is the chair of the Canadian Advanced Technologies Alliance’s Cyber Council.

This article appears in the April 2016 issue of PLANT.