"But I don't even have an iCloud account!" my aunt said over the phone, as the realization of her fear began to set in. "Is this just a scam?!"
At this point, vishing scammers had already installed remote software on her PC and were attempting to have her purchase Google Play Store prepaid cards and send them the codes so the "problem" with her "account" would be "fixed." In response, the plug was pulled, the hard drive destroyed and passwords were changed. A diploma from the school of close calls was earned that day. If only my aunt knew – if only she had been "patched!"
Institutions spend a considerable amount of money and energy to ensure that their workstations, servers, and network devices have the latest security software. We harden, secure, rollout, install, update, enable/disable, upgrade and patch our information systems (which are all good and necessary things!) but how often are we "patching" our employees? Is lumping a fifteen-minute slideshow presentation on security awareness into your annual end of year training enough?
According to a recent report by KnowBe4, 91% of successful data breaches started with a spear phishing attack (1). Why do attackers keep targeting humans? Well, we tend to be social, often times lazy and definitely creatures of habit. In short, we're low hanging fruit. The weak link. Your file server isn't going to "forget" a security update after a late night at the office and no coffee in the morning. And the bad guys know it.
Culture of Questions
Are you creating a culture where employees are encouraged to ask? If someone receives a weird email that looks like it came from their supervisor, does that employee feel comfortable taking steps to question it? Don't rely on assumptions – the strength of social engineering comes from the many social complications in play!
"Well, the boss never makes a mistake, it has to be legitimate."
"They are on vacation now and I really shouldn't bug them. This must be the report they mentioned."
"It was just a false alarm last time – and everyone chuckled at the fact I thought it looked fake."
Can your employees question something potentially malicious, without fear? How do you know? Have you told them so directly? Have you told them again lately?
People learn through experience – by having them participate in security awareness through asking questions when things don't seem right, you are creating security agents and installing human "updates" that won't be soon forgotten.
The Power to Verify
The drive to help is another social aspect that attackers find success exploiting. Asking for the CEO's email address over the phone or posing as IT support and requesting the user's password are common tactics. What will be their response when a person shows up, claiming they need access to the server room? Will politeness lead to pilfering? It can and does!
There is nothing wrong with doing everything in our power to help someone. There is also nothing wrong with taking a simple step to verify the request. Is it inconvenient? Yes – security and convenience will always face off against one another. The goal is to strike a reasonable balance that protects your customers and your business. Do your employees have the power to walk that line? Do they have the power to verify?
Human Patch Management
You have deployed all the current system patches available – but when is the last time you checked the status of your human "patch" level? An "unpatched" human is just as vulnerable as that forgotten legacy system sitting in a dusty corner. And the next exploit is only a call, email, or even smile away.