People are frequently the weak link in data protection - so how can you ensure your employees are wise to social engineering?
Mon, 08 Jun 2015 09:33
The data of four million employees in the USA may have been compromised after federal government computers were hacked last week, as reported by the BBC.
It's currently unclear who carried out the attack, which has lead to a White House spokesman describing hacking as an "ever evolving threat."
Security software is also ever evolving, with firewalls, anti-virus and email scanners among the software solutions organisations put in place to protect themselves.
However, even the latest software struggles when it comes to the threat of human error which, as reported in our own Compliance News, is the biggest driver in data protection breaches.
Social engineering is one of a number of tools used by hackers to gain access to confidential material.
Rather than attempting to bypass login screens programmatically, as the traditional Hollywood vision of a 'hacker' might, this relies on capitalising on the errors in judgement of individuals to gain access to personal details which can be used to login to various services and access confidential information.
Take for example an individual who uses the same email address for multiple services, perhaps even emailing themselves password reminders for their work accounts. A hacker gaining access to that email account would likely have all the information they would need to access the confidential information of potentially thousands of people.
Some examples of what social engineering may look like include:
- Fake login pages – since many people use the same passwords across multiple sites, making a person think they are logging into one of them can give hackers access to all kinds of information on a variety of sites.
- Seemingly personal emails – by sending a personal-looking email, hackers can receive personal information including birth dates and addresses – exactly the kind of information that lets them log in via a 'forgotten password' feature on many websites.
- Creating a false urgency – by calling someone with an apparently urgent problem, hackers can trick people into giving away bank details or passwords.
- Social networking – many people have personal details publicly visible on social networks, or accept friend requests from people they do not know. This often gives hackers a wealth of information about the person, which can be used to gain unauthorised access to files.
- Bribery or intimidation – by making a person feel threatened, social engineers can often coerce them into revealing passwords granting them access to confidential information.
By capitalising on human flaws, hackers can circumvent even the most robust security software. A thorough employee training programme is therefore a key ingredient in any organisation's data protection policy.
Our Data Protection eLearning is designed to educate your staff on the laws and procedures involved in effectively managing data, and includes information on how to recognise and respond to the above tactics, reducing the risk of hackers illegally accessing confidential information.