One of the biggest risks to your business is your people. It’s a hard truth but one that you always should be mindful of. Back in May 2000, an email started to circulate that was simply titled ILOVEYOU and contained an attachment. The resultant virus infected over fifty million machines in the first ten days and caused an estimated $5.5bn of damage worldwide. The virus relied on a number of security flaws in Windows and exploited some bad design but – and this is the crucial point – it used social engineering as the key to its meteoric success. When an employee receives an email from a known contact with a rather surprising subject and an attachment, human nature takes over and the attachment gets opened and … oh dear.
Unfortunately, although security holes get closed and bad design gets improved, your staff will always be human. How has this threat evolved in the last sixteen years? These days, you will get an emailed invoice from a customer. Except that it isn’t. Or a spreadsheet that appears to contain gobbledegook and a button that tells you it will unscramble it. Except that it doesn’t. Businesses must continue to run and humans will be humans. What can you do?
Sack everyone? Well, yes. That solves one problem but creates rather more.
Education? A much better idea. Training your staff to recognise threats and to be suspicious of unexpected emails is a good start but is it enough? Threats are constantly evolving, your people will, unsurprisingly, still be human and social engineering will still have its wicked way with them.
The sad truth is that you will never completely eradicate the risks posed by social engineering. You can tighten up your anti-virus, you can scan everything multiple times before allowing it near to your network and you can pour all of your hard-earned profits into plugging every tiny crack in the system that your inventive penetration testing people can find. Don’t allow this to become a mill stone around your neck. Accept that there are always going to be weaknesses in your system and plan for that. Have a good disaster recovery plan. Implement it. TEST IT. Then, when the inevitable happens, you can kiss goodbye to a few hours of productivity rather than years’ worth of data.
One of our customers was hit by a virus that began with social engineering and ended with 500 gigabytes of their data being encrypted and held to ransom. Our disaster recovery plan was implemented and they lost some productivity during the recovery but didn’t lose one single file. Why not get in touch and find out how we can help your business to stay safe?