Fraud has always been a threat to us in our personal and professional lives. Advances in technology bring both the good and bad with them. A relatively new trend has emerged presenting us all with the threat of what’s been termed “Social Engineering Fraud.” We’ll look into this in a bit more detail today.
What is Social Engineering?
Often when we think of cyber-crime, we think of our computers or networks getting hacked by someone sitting in a dark room. Social Engineering is the use of phycological tactics to trick someone into giving up access, information or property. Common examples including sharing confidential information or transferring money.
It’s easy to think that we’re smart enough to be tricked into something like this; however, criminals often phycological blind spots. If we’re unaware of these blind spots, we’re at risk of falling prey to professional con artists.
One of the reasons this is such a problem today is because businesses invest in cyber and network security, but these systems all have one common vulnerability: people.
Here’s an example:
A “fire inspector” shows up at your office with full credentials. It seems reasonable to your receptionist and office manager who escort the “fire inspector” around to different areas of the building. He does all the things you’d expect like check the fire extinguishers, circuit breakers, emergency lighting and exits. Then he asks for access to where the server is and if any resistance is put up, he goes on to demand it because it’s required. Many people dislike – or even fear – confrontation and a con artist will play on this. Once he gains access, he might use a USB plug in device or something similar to gain access to the server remotely, or bypass your firewalls.
While they’re still threats, nothing in this example requires someone hacking through a firewall or sending phishing emails to your employees.
Three Ways to Fight Social Engineering Fraud
Awareness & Training
Employees must be made continuously aware of these and new emerging threats. Simply by being aware of the ways in which criminals look to perpetrate fraud is the first and best way to prevent loss.
Conducting regular training on these topics is important and doesn’t take too much time. Tack on 5-10 minutes to a meeting each month to review these.
Practice is also key. You can engage with companies that can conduct vulnerability testing with you and your staff. Part of this should include sending anonymous but harmless phishing emails to your employees and even having someone show up to try to infiltrate your office.
While we want to avoid tying does our employees in processes and procedures, having the right processes in place for some key areas is vital to maintaining security. One area that this can be addressed in is physical security. Verify the credentials of anyone coming on premises. Have two people sign off on any entry to areas with sensitive information. Don’t leave sensitive information out in the open.
Designing the right process for your organization requires some time and customization, but it’s well worth it for the security that comes with it.
Processes should also be combined with practice and training. Practicing something even once or twice builds muscle memory and makes it easier to resist phycological tricks.
Transfer Risk with Insurance
As much prevention, risk mitigation, processes and training you might put in, no system is perfect in keeping your system safe, preventing accidents from happening, or people making mistakes. Even with the best programs in place, having the right insurance protection will protect your business from financial loss.
The relevant type of insurance for this risk is Cyber Insurance.
You may have heard of Cyber Insurance and you may already have a policy in place. But here’s a word of warning – Cyber Insurance policies can be incredibly different from one policy to the next.
With Social Engineering Fraud specifically – many policies do not include coverage. And those that do often carry higher deductibles, lower limits of coverage, and require that certain practices are in place before coverage can be triggered.
The first recommendation I have is to work with an insurance agent to conduct a survey on your specific risk to Cyber Crime. By assessing where you have exposure and the ways in which you’re currently managing your risk, you can gain insights into what – if anything – might need to be done.
This is something that should be done annually.
Next, compare your potential vulnerabilities to your current coverage. Most employers are confident in the protection they have, but there are almost always some gaps in coverage. If you’re confident in your coverage and don’t want to go through a survey or assessment, it might make sense to get a coverage audit. These things can be done easily with little time commitment for most businesses.
One Last Thing
With some of our carriers, we have access to a Cyber Risk Assessment. All that’s needed to run this assessment is your website address. If you’d like us to run a Cyber Risk Assessment on your website, please contact us at: firstname.lastname@example.org with your website address and we’ll be happy to provide you a copy.