Tag Archives: Social Engineering

Social engineering “a top cause of cyber incidents” finds Cyber Resilience Report

Research commissioned by Crises Control from the Business Continuity Institute for its annual Cyber Resilience Report 2016 confirms much of what we already suspected about the changing nature of the cyber threat and the way that cyber criminals have found new ways to defeat corporate perimeter security.

66% of respondents to the survey reported that their companies had been affected by at least one cyber security incident over the last 12 months. The costs of these incidents varied greatly, with 73% reporting total costs over the year of less than €50,000, but 6% reporting annual costs of more than €500,000.

The increased difficulty of breaching perimeter security and the increased human resources available to cyber criminals has combined to produce a new point of attack. This is focused on the weakest link in the corporate security chain, which is now human beings rather than technology.

The term ‘social engineering’ describes this attack vector, which relies heavily on human interaction and often involves tricking people into breaking normal security procedures. The BCI research shows clearly that phishing (ie obtaining sensitive data through false representation) and social engineering is now the single top cause of cyber disruption, with over 60% of companies reporting being hit by such an incident over the past 12 months.

A further 37% were hit by spear phishing (ie phishing through identity fraud).

BCICyber

The research has also confirmed that, to effectively counter this threat, companies now need behavioural threat detection provided by a cyber security network monitoring solution. These plug-in devices monitor your network for signs of suspicious insider activity and failed attempts to hack into the system.

They can also provide invaluable intelligence to be acted upon proactively to nip a successful hack or insider threat in the bud.

Traditional anti-virus monitoring software is no longer enough. The BCI research shows that 72% of companies have this software in place, but only 26% of real cyber security incidents were actually discovered through this route. Much worse, 18% of incidents came to attention through an external source such as a customer, a supplier or the impact on a public website.

Network monitoring solutions are much more effective than anti-virus software in terms of alerting companies to a cyber breach, with 63% of businesses having network monitoring software in place and 42% of cyber incidents being brought to attention through the work of the IT Department to whom such systems report.

The scale of the cyber threat can feel overwhelming at times, but educating your own employees about the nature of the threat and then putting in place the right solutions can go a long way towards mitigating the social engineering threat and significantly enhancing your corporate cyber resilience.

The message is simple… Act now before it’s too late.

Leave a comment

Filed under Risk UK News

“Faster response times needed to combat cyber threat” finds BCI survey

Two thirds of respondents to a global survey carried out by the Business Continuity Institute report that they had experienced at least one cyber incident during the previous twelve months, while 15% stated they had experienced at least ten incidents during the same period.

The frequency of these cyber incidents demonstrates exactly why it’s so important for organisations to have plans in place to mitigate them or otherwise lessen their impact.

The Cyber Resilience Report, conducted by the BCI and sponsored by Crises Control, found that there was a wide range of response times for cyber incidents. Almost a third of organisations (31%) stated that they responded within one hour. However, one fifth (19%) take a worrying four hours or more in responding to a cyber event, while almost half (44%) take more than two hours to respond. This has clear implications for the time taken to return to business as usual, and the ultimate cost of the incident to the host organisation.

IntelligenceLedSecurity2

Even if businesses wish to respond immediately to a cyber attack, the nature of the attack may render them unable to do so. The research finds that phishing and social engineering are the top causes of cyber disruption, with over 60% of companies reporting being hit by such an incident over the past 12 months and 37% attacked by way of spear phishing.

The BCI has discovered that 45% of companies were hit by a malware attack and 24% by a Distributed Denial of Service episode. All these forms of attack will, in different ways, render an organisation’s own network either contaminated or inoperable. Their website may have been taken down and they may well have to switch off their Internet connection until they can secure themselves from further attack.

A detailed study of 369 business continuity and resilience professionals from across the world, the research also reveals that the costs of these incidents varied greatly, with 73% reporting total costs over the year of less than €50,000, but 6% reporting annual costs of more than €500,000.

David James-Brown FBCI, chairman of the BCI, commented: “This piece of research is one of the most timely, insightful and relevant the BCI has ever produced. Cyber attacks tend to target the weakest links of an organisation. That calls for a greater awareness of cyber crime. As the cyber threat evolves, it’s crucial to stay on top of it, building long-term initiatives and regularly updating recovery plans.”

Rickie Sehgal, chairman of Crises Control, added: “Rapid communication with employees, customers and suppliers is vital for any company in terms of responding effectively to a major business disruption event such as a cyber attack. When your business is at risk, even a one-hour delay in responding to an incident can be too long. Taking more than two hours to respond, as almost half of companies appear to do, is simply unacceptable.”

Leave a comment

Filed under Risk UK News, Uncategorized

Over £21 million lost to social engineering scams since the beginning of 2014

Get Safe Online, the UK Government and private sector-backed information service on Internet safety and security, is raising awareness of ‘social engineering’ scams through a new series of informative videos offering advice and tips.

A type of confidence trick, ‘social engineering’ is the use of deceit to manipulate or trick victims into certain actions including divulging personal or financial information. Examples include phishing e-mails and fraudulent phone calls asking for personal or financial information – known as ‘vishing’ – or phone calls from fraudsters impersonating computer technical support agents.

According to FFA UK, approximately 23% of people in the UK have received a cold call requesting personal or financial information, potentially putting them at risk of becoming a victim.

In the first five months of this year alone, some of the UK’s main High Street banks have reported losses of over £21 million from vishing attacks on their customers, with over 2,000 vishing attacks resulting in an average loss of over £10,000 per victim.

Social engineering exploits human nature and plays on victims’ emotions such as protecting themselves, their family and finances, gaining something of advantage or willingness to please others. It’s a factor in many types of fraud.

Schemes may be elaborate and highly convincing

Tony Neate, CEO of Get Safe Online, commented: “It’s important that the public are aware of what social engineering actually is, as there are so many types which can lead to the theft of your money or identity. It can be easy to fall prey to social engineering because schemes can be elaborate and highly convincing, with approaches usually made by somebody you think you should trust or appears to be in authority. It’s not just individuals who are likely victims, it’s also businesses.”

Get Safe Online – the UK Government and private sector-backed information service on Internet safety and security – is raising awareness of ‘social engineering’ scams through a new series of informative videos offering advice and tips

Get Safe Online – the UK Government and private sector-backed information service on Internet safety and security – is raising awareness of ‘social engineering’ scams through a new series of informative videos offering advice and tips

Neate added: “We hope that by raising awareness of how to avoid becoming a victim of social engineering through our online videos and activity with our partners, we can help prevent it from happening to others.”

Alasdair MacFarlane, head of customer security at NatWest, said: “NatWest is committed to providing safe and secure banking alongside an excellent level of customer service. Fraudsters are always looking for new ways to gain access to money which is why we offer our customers a Secure Banking Promise, as well as lots of advice on our website to help them avoid falling victim to a scam. We’re delighted to be working with Get Safe Online in raising awareness on this important issue.”

Dawn Cornwall, fraud and security manager at Lloyds Banking Group, explained: “At Lloyds Banking Group we are committed to making sure our customers’ Internet banking experience is as safe as possible. We use cutting-edge technology to protect their personal information and privacy. We also have our online guarantee in place if a customer experiences fraud in Internet banking and a wealth of advice and guidance on our websites. We’re really pleased to be working with Get Safe Online on the Social Engineering campaign.”

Alex Grant, Barclays’ managing director of fraud prevention, stated: “We’ve seen from our own interaction with customers who have fallen victim to social engineering frauds that the loss of hard-earned savings causes great emotional distress, as well as having a significant financial impact. This is why raising awareness about social engineering scams and protecting customers from fraud is one of our highest priorities. Barclays fully endorses this awareness campaign and we’re pleased that our sponsorship of Get Safe Online is helping provide consumer education and promote awareness of scams such as these.”

Detective Superintendent Peter O’Doherty is the head of the NFIB and Action Fraud. Speaking about the Get Safe Online initiative, he said: “The face of crime has significantly changed in recent years, with much of today’s offending being conducted not on a face-to-face basis but over the phone and through a computer. People need to be aware there are ruthless, calculating criminals using social engineering scams to obtain personal and financial information that makes them a profit and individuals and businesses the victims of crime. This multi-media Get Safe Online campaign will shine a light on these practices and help the public know when they are being targeted and the best ways in which to protect themselves.”

How to avoid becoming the victim of social engineering

Getsafeonline.org offers a number of tips on how to avoid becoming a victim of social engineering:

• Always be wary of people requesting confidential or personal information by whatever means, however convincing they may seem
• Never reveal personal or financial data including usernames, passwords, PINs or other forms of ID
• Be very careful that people or organisations to whom you are supplying payment card information are genuine, and then never reveal passwords. Remember that a bank or other reputable organisation will never ask you for your password via e-mail or a phone call
• If you receive a phone call requesting confidential information, verify that it’s authentic by asking for a full and correct spelling of the person’s name and a call back number
• Check the number matches the contact number on the relevant website. Even then, the criminal may have used special software to display the authentic number
• If you are asked by a caller to end the call and phone your bank or card provider, call the number on your bank statement or other document from your bank – or on the back of your card. However, be sure to use another phone from the one you received the call on to ensure that a fraudster is not on the line by having kept the call open. If you cannot access another phone, be sure to hang up for at least five minutes before you dial out, or call a friend (whose voice you recognise) before making another call
• Do not open e-mail attachments from unknown sources
• Do not readily click on links in e-mails from unknown sources. Instead, roll your mouse pointer over the link to reveal its true destination, displayed in the bottom left corner of your screen. Beware if this is different from what is displayed in the text of the link from the email
• Do not attach external storage devices or insert CD-ROMs/DVD-ROMs into your computer if you are not certain of the source, or just because you are curious about their contents

*For more advice on how to avoid this type of fraud visit: http://www.getsafeonline.org/socialengineering to watch the online advice videos

About Get Safe Online

Now entering its eighth year of operation, Get Safe Online (www.getsafeonline.org) is the UK’s national Internet security awareness initiative.

A joint partnership between the UK Government, the National Crime Agency (NCA), Ofcom, law enforcement bodies and private sector sponsors from the worlds of technology, communication, retail and finance, the initiative continues to educate, inform and raise awareness of online security issues to encourage confident and safe use of the Internet.

GetSafeOnline.org is supported by Barclays, Bob’s Business, Creative Virtual, the Department for Business, Innovation and Skills, HM Government, HSBC, Kaspersky Lab, Lloyds Banking Group, the National Crime Agency, Symantec, the National Fraud Authority and Action Fraud, Ofcom, HSBC, Microsoft, PayPal, Symantec, Standard Life, Gumtree, Camelot, Detica, StubHub, Nominet, PurchaseSeal, ValidSoft, Business Link, the Charity Commission, Citizens Advice, the Association of Chief Police Officers, the Information Systems Security Association, e-Crime Wales, Information Risk Management plc, the Institute of Information Security Professionals, RG (Interactive Media in Retail Group), the International Association of Accountants Innovation and Technology Consultants, the Internet Services Providers’ Association, Neighbourhood and Home Watch, PTA-UK, SafeBuy, Safer Jobs, the Scottish Crime and Drug Enforcement Agency, Scottish Police College, the Scottish Business Crime Centre and UK Online Centres.

Leave a comment

Filed under IFSECGlobal.com News