Why Social Engineering is Overlooked in Combatting Cybercrime

19 July 2024
phishing

In the realm of cybersecurity, technological defences are frequently prioritized over other aspects of security strategy. Firewalls, encryption, and advanced AI enhanced threat detection systems dominate discussions on protecting sensitive data and digital assets. That’s all well and good, however, one critical aspect of cybercrime defence often gets overlooked: social engineering.

Despite being a prevalent and highly effective method used by cybercriminals, social engineering does not receive the same level of attention as technical security measures. It is estimated that almost 70% to 90% of cyberattacks are initiated by social engineering. However, most organisations do not spend 3% of their IT security budget on combatting it. This oversight can leave organizations vulnerable to sophisticated attacks that bypass even the most advanced technological defences.

Understanding Social Engineering

Social engineering exploits human psychology rather than technical vulnerabilities. Cybercriminals manipulate individuals into divulging confidential information, such as passwords or financial data, often through seemingly legitimate communications. Common tactics include phishing emails, pretexting (pretending to be someone trustworthy), and baiting (offering something enticing to lure victims).

Why is Social Engineering Ignored?

  1. Focus on Technology Solutions:

The cybersecurity industry heavily markets advanced technological solutions. It’s a very lucrative industry. Products like antivirus software, intrusion detection systems, and secure networks promise to protect organizations from cyber threats. This focus on technology can overshadow the human element, leading to a neglect of social engineering defences.

  1. Perception of Complexity:

Social engineering attacks often seem simpler compared to technical exploits. This simplicity can cause them to be underestimated. Many assume that because social engineering tactics are straightforward, they are less of a threat than complex hacking techniques.

  1. Lack of Awareness:

Many organizations and individuals are unaware of the extent and effectiveness of social engineering attacks. Unlike data breaches that make headlines, social engineering incidents may not always be publicized, contributing to a lack of awareness.

  1. Human Factors are Hard to Control:

Technology can be programmed, updated, monitored and reported with relative ease. In contrast, influencing and changing human behaviour is far more challenging. Training employees to recognize and resist social engineering attacks requires ongoing effort, time and resources, which some organizations may be reluctant to invest in.

The Consequences of Ignoring Social Engineering

When organizations focus solely on technological defences, they leave a critical gap in their security posture. Social engineering can bypass even the most sophisticated security systems by targeting the weakest link: human behaviour. Phishing attacks, for example, can trick employees into giving away credentials that provide cybercriminals with direct access to secure systems.

In 2020, the FBI’s Internet Crime Complaint Centre reported that phishing was the most common type of cybercrime, resulting in significant financial losses. This statistic underscores the importance of addressing social engineering alongside technological measures.

The biggest social engineering attack of all time (as far as we are aware) was perpetrated against two of the world’s biggest companies, Google and Facebook. Where scammers created fake companies and invoiced employees $100M for goods and services over a period of time.

Implementing a Comprehensive Security Strategy

To effectively combat cybercrime, organizations must integrate social engineering defences into their overall security strategy. Here are some key steps:

  1. Employee Training and Awareness:

Regular training sessions should be conducted to educate employees about different types of social engineering attacks and how to recognize them. Simulated phishing exercises can help employees practice identifying suspicious communications. Employees should also be educated on all types of social engineering such as whaling, baiting, spoofing, business email compromise, smishing etc.

It is important to create a culture of security awareness and vigilance within the organisation. Although all employees should undergo training some such as those who deal with sensitive information, finances or senior level management should get additional education as they can be prime targets.

  1. Clear Policies and Procedures:

Establishing clear protocols for handling sensitive information can reduce the risk of social engineering attacks. Employees should know what steps to take if they suspect an attack and whom to report it to. Employees should be aware that they should not share confidential information with unauthorised people for example and procedures should be in place to check transfers of funds to new destinations.

  1. Multi-Factor Authentication (MFA):

Implementing MFA can add an extra layer of security, making it more difficult for attackers to gain access even if they obtain login credentials through social engineering. Additional features such as security keys can be advantageous.

  1. Use Spam Filters and Pop-up blockers

Spam emails are a common vector for distributing malware and launching phishing attacks. Implement a robust spam filter to identify and block harmful messages before they reach your employees inboxes. Pop-up blockers prevent unwanted windows appearing while you are browsing and is a common way cybercriminals distribute malware, phishing attempts and other malicious content.

  1. Continuous Monitoring and Testing:

Regularly testing the effectiveness of social engineering defences through audits, risk assessments and simulated attacks can help identify vulnerabilities and improve the overall security posture. The security team should also keep themselves abreast of the latest threats and communicate when needed to the organisation.

Conclusion

While technological solutions are crucial in defending against cyber threats, they are not sufficient on their own. Social engineering attacks exploit human psychology and can easily bypass technical defences if not adequately addressed. By recognizing the importance of social engineering and implementing comprehensive training and awareness programs, organizations can strengthen their overall cybersecurity and better protect themselves against the full spectrum of cyber threats.

At Archway Securities we offer tailored social engineering training for employees, speak to us about getting your staff informed about this significant threat.

Our latest blog posts

Archway Securities, putting you in safe hands

In an age where digital threats are incessant, choosing the right partner for your cybersecurity needs is paramount. At Archway Securities, we stand out as a beacon of trust, offering tailored solutions designed to safeguard your business, data, and reputation. Our team of seasoned experts, armed with the latest technology, ensures that your digital infrastructure remains one step ahead of evolving threats. With a commitment to proactive threat detection, compliance assurance, and 24/7 support, Archway Securities is your dedicated ally in navigating the complex landscape of cybersecurity. Choose confidence, choose Archway Securities.

Archway Securities, putting you in safe hands

How Archway can help your business

Penetration Testing image
Business Impact Assessment
Risk Management image
Penetration Testing
Business Continuity Management image
Phishing Assessment
Penetration Testing image
Risk Management
Risk Management image
Threat Detection Solutions
Business Continuity Management image
Business Continuity Management
Our approach to security

Schedule a consultation

Archway Securities can help SMEs protect themselves against cyber-crime. Schedule a consultation with our team to find out how we can help you.