Know this: it isn’t cheap. It’ll cost you an average of $150 per compromised file to recover from data loss, and thousands of files are compromised in the average attack, so you’re looking at a six or seven-figure hit from just a single incident.
A million dollars and nothing in return… that’s not the kind of problem you want to deal with.
And besides that, do you want to be the kind of business that is known for suffering a major cyberattack (that’s assuming you even survive it, as 55% of small and medium-sized businesses are forced to close within just 6 months of an online security breach)? It’s going to freak people out a bit. Many potential clients are sure turn to someone else that doesn’t have a history for online security breaches.
Also, frankly, it’s just plain embarrassing.
It’s not just people forcing their way onto network with savant hacking skills that you have to worry about. It’s just as important to protect yourself from clever phishers who know how to trick your employees into handing sensitive data over instead of breaking in and stealing it themselves.
Here are 5 tips that will help protect you from social engineering attacks:
Some information is more important than other information.
If someone asks for your phone number, that’s okay, it’s not really information that needs to be protected.
But watch out for the inquiries of social engineers, as they’ll usually do plenty of background work before they strike. There’s no reason for anyone to know which operating system you’re running, which company collects your trash, etc. A sudden sense of urgency is a good sign that something is wrong. Make sure that your employees know that if a question seems at all suspicious and it regards information that could be used against you, just don’t answer it.
But what’s just as important as the information itself is who is receiving that information.
If it’s not a source you 100% trust, don’t share anything. Many of the most effective phishers put their victims on the defensive by posing at the IRS, local police, or some other position of authority. Always call to confirm that you actually owe back taxes, unpaid fines, or any other sort of penalty before you follow a link or (god forbid) install some software from such an “authority”.
Also, look out for URLs that are just a bit off from a legitimate source, like goggle.com or something like that.
One of the more creative social engineering methods is to leave a USB stick loaded with malware outside on the ground between the parking lot and the entrance of your business. A surprising amount of people will get curious and pick that thumb drive up and plug it in to your network just to see what’s on it.
This scam is even more effective if that USB stick has the company’s logo printed on it…
It seems like common sense, but a reminder never hurts: make sure your employees know not to plug in any foreign devices into in-house equipment.
You’re going need to make it clear exactly what you expect from your workforce in terms of protecting your network from social engineering attacks. Organize these tips and whatever other policies you want to implement, print them out, and make sure every employee has read and understands these protocols.
Of course, a “clear set of protocols” won’t make a difference if you don’t make sure those protocols are being followed.
Keep track of your employees’ behavior, and don’t be afraid to bother them if they’re not following all the rules. Repeat offenders should be penalized. We know it’s awkward to confront employees you see every day in this way, but when it comes to protecting your data, you’re protecting the very livelihood of your business.
Author: Joe Martin, Date: 2015-06-17