Despite the increased digitalisation and connectedness of organisations, social engineering remains the preferred method of attack when it comes to data compromise. In fact, recent figures indicate that 79% of social engineering attempts have been successful. Considering the financial and reputational impact this can have on business longevity, companies must do more to educate and empower employees to mitigate against the risk of this happening.
“Data breaches used to predominantly be an IT problem. But given how data and technology have permeated every aspect of business today, companies must understand the effect cybersecurity compromises can have on the organisation. This is more so the case when it comes to the human element around data protection,” says Kate Mollett, regional manager for Africa at Veeam.
The real financial impact of a data breach is difficult to quantify. Decision-makers must consider the reputational and brand damage as well as any potential fines if data containing personal information have been compromised. And depending on the severity of the breach, some organisations are forced to close their doors given the sheer scale of the loss in consumer confidence.
Shopping season is coming
Seasonal shopping such as Black Friday (29 November) provides an opportunity for hackers to take advantage of peak online traffic and consumers’ willingness to part with their data when buying gifts for Christmas. We have seen high profile retailers experience technical issues during these critical trading periods and it is when there is downtime or unplanned outages that consumers become frustrated and take risks when it comes to the buying experience.
“Black Friday heralds the start of the shopping season in South Africa. But in the rush to get that special deal, people can get distracted and even feel compelled to purchase something to save a few Rands. This presents a significant opportunity from a social engineering perspective to target individuals and compromise their personal data.”
Getting caught up in the excitement of Black Friday can make a consumer an easy target for a hacker. For example, companies very seldom have the platform to deal with the spike in demand associated with such a once-off shopping onslaught. In turn, this results in customers not being able to complete a purchase and searching for alternative sites where they can shop. Often, these sites are set up to capture sensitive user information through sophisticated phishing attacks. This data is then used to either steal from the individual themselves or target a financial institution or large corporate.
In human nature
“Irrespective of whether an organisation is using the most advanced cybersecurity solutions available, people will remain the weakest link in protecting data. Social engineering is about manipulating a user group or targeting an individual to share information they would not ordinarily do. The reality is that it is quicker to trick someone into providing a password or credentials than it is to hack a system,” she says.
The rapid digitisation of consumer and organisational records have also seen an increase in global data breaches and cybercrime. The more information that is stored online, the more opportunities exist for malicious users to try and access them.
“Companies are continually building in checks and balances to protect their data. But the human factor remains a challenge. Such is the sophistication of social engineering that many people do not even realise they are being attacked or have been compromised. Even though organisations are trying to educate staff about cybersecurity, there will always be nuances that social engineers can exploit.”
However, this does not mean a company should just give up and expect for the worst to happen. Instead, ongoing education must be conducted around social engineering aspects such as increasingly sophisticated phishing attacks. Hackers use phishing as a gateway to deploy ransomware, so protecting against this from happening should be a significant strategic priority.
Much of this comes down to how people access data. Most companies have embraced the BYOD (bring your own device) mindset and let employees use their own devices for work and accessing the corporate network. However, some are rethinking this approach. For example, employees cannot take their personal devices onto the trading floor.
“A shift is starting to happen with more companies providing people with cell phones, tablets and laptops for work. These can be better secured and form part of a more integrated cybersecurity approach. The rise of social engineering and other forms of attack have resulted in businesses becoming more stringent in how data is accessed and shared.”
This benefits organisations with operations outside of the country, especially given the importance of being compliant with GDPR (General Data Protection Regulation).
“The financial repercussions of failing to comply with GDPR are significant. So, not only will BYOD be less of a priority, but user educated will become more sophisticated. Teaching employees how to identify an attack, the steps needed to take if they have been compromised, and so on will become mission-critical. This also means that cybersecurity training will need to become top of mind for every individual at the business. Training must happen more frequently, new employees must be onboarded more effectively, and the entire approach towards data protection must be evaluated.”
The always-on business environment means attackers will target people irrespective of the time of day. The thinking around data protection must therefore shift into this always-connected environment. Inevitably, cybersecurity budgets will grow, and the security skills shortage will be addressed. But fundamental to this remains ensuring employees have an awareness around social engineering tactics and can respond accordingly.