66% of UK SMEs surveyed as part of the Government’s Cyber Streetwise programme don’t think they are vulnerable to cyber attack, with many thinking they are of no interest to cyber criminals due to their small size. The survey also found that on average, the impact of a security breach was equivalent to a third of the company’s revenue.

When asked their views on some of the most common misconceptions about keeping their bussiness secure online, over three quarters (78%) of CEOs believed at least
one. These included the following myths:

  • Only companies that take payments online are at risk of cyber crime (26%) – All SMEs are at risk and whilst hacking of payment processing software is an obvious tactic, criminals are highly opportunistic and can benefit from stealing a wide range of data from businesses
  • Small companies aren’t a target for hackers (22%) – Small businesses are in fact a bigger target than ever because they typically hold far more data than the average consumer, but often don’t have any additional preventative measures in place to protect themselves. Last year 33% of small businesses suffered a cyber attack from someone outside their business.

Smaller businesses are more attractive targets for cyber criminals due to the higher likelihood of success. This is thanks to sub-standard defences and employees who are not trained and tested against social engineering methods.

95% of security breaches happen because people are tricked or taken advantage of, not because systems are hacked.

Social Engineering is the new Hacking

“Social Engineering is defined as any act that influences a person to take an action that may or may not be in their best interest.”

Christopher Hadnagy, Unmasking the Social Engineer.

Cyber criminals use emails and phone calls, cleverly tricking targeted individuals into carrying out actions that compromise security of data. Data falling into the wrong hands can be devastating for businesses, particularly those who are bound by information security regulations such as ISO 27001 or those who need to comply with regulations such as FCA or PCI.

As well as being a threat to security of data, social engineering is often used to manipulate people into transferring significant sums of business funds directly to bank accounts controlled by the criminals.

One French business lost £372,000 in an attack carried out in under an hour consisting of a series of emails and phone calls targeting the firm’s accountant.

This type of attack is known as ‘CEO Fraud’ – and it’s costing businesses millions.

You might expect cyber criminals to break through technological defences to steal data or money, but the vast majority of successful attacks only use technology to communicate with and monitor victims. The actual theft relies on old-fashioned trickery, not ‘Hollywood style’ hacking.

First, someone with the ability to transfer funds out of the business is identified. This is as easy as looking on LinkedIn or calling the business and asking to be put through to accounts. The person’s email address is then collected either by asking for it, or by guessing it (how email addresses are guessed or harvested).

Phishing methods are then used to get the individual to inadvertently install software which the hacker can use to record keystrokes and monitor communications.

The attacker will then wait until an opportune moment to strike. When they have identified the right time (for example when the boss is not in the office) they will send an email impersonating the CEO of the company, requesting a transfer of funds for a confidential business deal.

By the time anyone realises what’s happened, it’s too late.

How do you defend against social engineering?

Unfortunately, technological defences are not 100% effective against preventing social engineering.

Emails are not usually caught by spam filters because they’re tailored to an individual target, not sent out en-masse containing all the usual spam triggers.

Monitoring software can be prevented from being installed with good defences, but a successful attack doesn’t rely on this software, it just makes it easier.

The only way to be safe from social engineering attacks is to educate employees, repeatedly reinforce the importance of vigilance and the signs to look out for, and then continually test employees.

Businesses who are serious about protecting themselves against social engineering send out their own phishing emails to employees to test their ability to spot red flags. Those who fall for them can then be re-educated. Your IT provider should be able to help with setting up these training and testing programs.