How to Combat Social Engineering – the Biggest IT Security Threat to Small Businesses in the UK
Despite the increased threat of cyber-attacks, it has been observed that UK businesses are continuing to ignore warnings about the dangers of social engineering in cyber-attacks.
Here’s what you need to know and how you can combat it.
Social Engineering is big news in today’s IT security threat profile.
This is because, in so many IT systems, people are the weakest link – which makes social engineering attacks such as phishing, vishing and spear-phishing an attractive exploit for would-be attackers.
However, UK businesses are continuing to fail to take the threat of social-engineering attacks seriously.
A recent report from Callcredit Information Group found that less than a quarter of businesses believe social engineering will pose a major threat over the next two to three years.
This, even though 42% of fraud prevention managers are already reporting they are frequently experiencing phishing attacks.
Failing to take the IT security threat seriously
So why this disconnect?
Despite our reliance on technology across all areas of business today, businesses are not investing enough time, effort and money to protect their IT real estate from malicious attacks.
For small businesses, the problem is even worse: according to Netwrix’s 2017 IT Risks Report, 73% of small businesses don’t have a separate IT security function.
Even for those that do, many lack the skills, tools and expertise necessary to counter today’s evolving IT security threat.
The flurry of activity around the GDPR deadline earlier this year demonstrates how many businesses fail to plan effectively around data and security – and how much activity is reactive rather than timely and proactive.
Yet, GDPR adds a new risk to the data security issue for UK businesses.
Under the regulation, businesses must be able to demonstrate they are adequately protecting the data they hold on individuals.
If they can’t – or don’t – they could face big fines.
Mitigating the risk of social engineering threats
So, what can businesses – and particularly small and medium-sized businesses – do to reduce the threat?
Since people are the weakest link in most security landscapes, the priority focus must be around training and awareness sessions.
These help users to identify potential threats, understand the risks and know what to do about them.
Security Awareness Training
Netstar provides a Security Awareness Training Programme which helps our clients educate their employees on security best practices and potential pitfalls.
The service subsequently sends spoof phishing-style emails to business users. If clicked on, these then direct users to an online e-learning course which aims to improve their understanding of and ability to spot such attacks.
We’ve found that the training is invaluable for our clients; those who have taken it are more aware of potential IT threats and much less susceptible to cyber-attack.
Understanding where the biggest risks are within your organisation is another way to prioritise awareness-raising effort.
Spear-phishing attacks are targeted directly at those employees who have access to the most desirable information.
What Steps Should You Take?
Your first step should be to identify which information you hold is of most interest to hackers (e.g. financial information).
The second step is to understand who has access to that sensitive data and help them to recognise and deal with likely threats.
Supplementing this effort with access controls and extra layers of user authentication. An example of which is two-factor authentication and is a good idea for the most sensitive systems, applications and data.
Mitigating the overall security threat
Inevitably, alongside your efforts to mitigate the social engineering security threat, businesses need to maintain good IT security across the board.
Even without in-house security expertise, there are several important things businesses must do to in this regard.
Read our list of 4 things you can do to improve your IT security:
1. Install updates and patches
Out-of-date operating systems and software can be a major source of security vulnerabilities.
Cloud systems help with this, as software version control is managed centrally rather than on local devices and machines.
But, whatever your set up, you need to ensure you install updates and patches as soon as possible. This ensures you get maximum possible protection against bugs and security issues.
2. Ensure you have the right protection
You need good security software: multi-layer firewalls can help to create tiered layers of security with the most sensitive data best protected.
Your firewall needs to be paired with intrusion monitoring and security log monitoring, so you can stay abreast of the threat levels and changing profiles.
Best practice recommends penetration testing – essential in some industries – to ensure you are protecting your networks and data.
Ensuring you have the right protection doesn’t have to be expensive; many cloud-based tools are available that help to drive down the cost of these solutions.
3. Take a more proactive approach to data management
Conducting an information audit is a necessary first step in any data management policy.
In order to secure your data, you need to know what data resides where.
GDPR and other industry-specific regulatory approaches are driving a reorientation in data management policy: making a strategy of defensible deletion a desirable option.
This way, you minimise the business risk associated with a data breach.
4. Encrypt data
As already mentioned, GDPR places greater onus on organisations to protect individuals’ data – whether employee, customer, or other individuals.
Encryption has an important role to play in how you secure and protect this data, as well as the other sensitive information that resides within your business.
If you are unsure how to make a start with any of these solutions, reach out to the Netstar team today.
We carry out proactive maintenance and monitoring for all our clients. This means making sure patches and updates are carried out as soon as they become available.
We also work with clients on the creation and adoption of IT Policies for their business.
Get in touch to find out more about our services and how we can help make your business more secure.