According to the Global State of Information Security Survey 2018 by PWC, 27% of cyber breach incidents are the result of an employee action. Upon doing some more digging into large cases of cyber attack, the term social engineering kept cropping up. Within an information security context, social engineering can be understood as ‘ the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.’ In many ways, this concept appeared more important than the tech itself; a phishing email is no good if nobody clicks on the link. Appealing to human fear, interest and expectation for normal online interaction can provoke a panicked irrational response which in the light of day sounds implausible. Let’s consider some examples to illustrate this point.
This cyber attack used a pop up claiming the device had been used for illicit behaviour and an immediate fine was required. To further drive home the veracity of the request, a webcam recording was included. We have all seen that black mirror episode, and this tactic worked well, with many individuals opting to pay the fine to make the elusive ‘criminal activity’ disappear.
TORRENT-LOCKER/ CRYPTO LOCKER F 2014
A ransomware attack dependent upon phishing emails avoided malware detection software by first directing victims to a legitimate website. Following their arrival on the site the individual was asked to enter a CAPTCHA code regarding a missed delivery, a request that would hardly raise eyebrows. Upon completing this entry, a pop up appeared and data was stolen, requiring payment for the retrieval of the stolen files.
What these two examples serve to demonstrate is that we are more fallible than we like to believe. It’s not always as easy to detect an attempt at gaining access to your computer as the scam email I received from Bill Gates earlier this year wanting to give me however many billion dollars for no particular reason. (See below for reference) and a lot of work goes into understanding what will make you click, pay up and react before thinking.
To bring this brief post full circle, I am proposing a broader consideration of social factors to counter the successes of social engineering. Behavioural economics highlights the significance of nudge theory to encourage and steer people towards ‘correct’ or ‘rational’ decisions. Why should this not be applicable to cyber security? Companies are already grabbing hold of this and trying to innovate when pursuing the cultural shift necessary to recognise and combat cyber crime. Even something as simple as a thank you email to employees practicing good cyber hygiene has been shown to have a positive impact. So maybe it’s possible to play the cyber criminals at their own game and socially engineer businesses to exude good cyber practice, awareness and consideration.