Cybercriminals are finding ways to exploit our psychological vulnerabilities during social engineering attacks. What can be done to protect yourself and your business? We provide a refresher of social engineering, discuss the art of psychological manipulation with insights from Kevin Mitnick and address ways to prevent attacks on your business.

Social engineering: A refresher
It’s been a while since we last discussed social engineering and the effect it can have on your business, so today we hope to provide a refresher, looking a little deeper at what it is and how this attack relies on exploiting employee psychological vulnerabilities.

As online security expert Kevin Mitnick explains in this blog post, “Social engineers know that it’s a basic human instinct to trust something that looks legitimate.” In saying this, Mitnick is referring to personally identifiable information (PII) that is readily available to cybercriminals online, including information available via your business’s website or employee information available on LinkedIn.

The art of psychological manipulation
Over the years, as Mitnick explains, social engineering techniques have evolved. In the 1990s Kevin Mitnick was actually one of the most wanted cyber criminals in the US, after he successfully socially engineered an attack on Motorola, building rapport with a Vice President who gave him access to internal contacts so that he eventually got hold of some valuable information. Now a renowned cyber security consultant, Mitnick works to help organisations identify these types of threats:

‘These cunning engineers use the principles of human psychology to build trust with a user— often someone directly associated with their targeted organization— knowing that the person may be their “in.”’

This article from IT Wire describes the threat of social engineering attacks to Australian businesses touching on common techniques used by cybercriminals and solutions to prevent them. The techniques the article focuses on include harvesting details from social networking platforms and using that information to create emails that appear authentic. Another technique described involves hardware devices such as a USB stick. An employee could be sent or handed a USB stick that once inserted to their computer can infect their systems with malicious files.

Preventing attacks on your business
The key tip from the article in preventing social engineering attacks is to create a human firewall by hiring more staff and educating them on cybersecurity best practices. Steps to do this include:

• Explain the importance of cybersecurity within your business.
• Keep strategies simple.
• Hold regular education and training.
• Explain the software in place to protect devices.
• Recognise contributions in identifying attacks.
• Ensure contractors understand their role in preventing these attacks too.

Social engineering exploits psychological vulnerabilities and uses employee manipulation to gain access to internal systems, and as we can see, this poses a real threat to Australian businesses. We strongly recommend you consider your cybersecurity strategy and ensure that the human element has been taken into account. In a world of systems and devices, it can sometimes be forgotten.

Have a question, comment or idea for a future blog post? Email us at blog@afilias.com.au today.