Social Engineering and how it affects your coverage – assuming you’re covered at all
As successful, preventative cybersecurity methods have increased over time, cyber criminals have shifted their focus from technological attacks to attacks on employees by way of Social Engineering. Social Engineering isn’t some brand new phenomenon and can be seen in numerous examples across history. The earliest form of ‘pretexting’ comes from the story in the bible where the Devil tempts Adam and Eve with an apple. Early forms of ‘baiting’ can be seen with Ulysses use of the Trojan horse to get past the gates of Troy. In 2002, Hollywood even cashed in on Social Engineering with Leonardo DiCaprio’s portrayal of Frank Abagnale in “Catch Me If You Can.” While the practices of Social Engineering have been around since the beginning of time, there are plenty of holes in the way business insurance covers these threats. In this blog will discuss the different types of Social Engineering, the ways to help avoid them and where your insurance might fall short.
Types of Social Engineering
Social Engineering comes in a variety of different forms, online and offline. In a 2010 article from Gartner, the advisory company was quoted as saying, “…Many of the most damaging security penetrations are, and will continue to be, due to social engineering, not electronic hacking or cracking… Social engineering is the single greatest security risk in the decade ahead.” Unfortunately, today the list of Social Engineering tactics continues to grow and become more sophisticated. We’ve highlighted a few of the more common practices below:
- Pretexting: Scenario in which real knowledge is used to get more information out of a victim.
- Phishing: Process by which an attacker attempts to acquire sensitive information by pretending to be a trustworthy source, generally using bulk emails.
- Spear Phishing: Targeted attack on a person or organization in an attempt to penetrate that business’ defense systems.
- Water-Holing: Technique where an attacker targets a group of people by finding vulnerabilities in the websites they frequent, giving them access to a secure system.
- Quid Pro Quo: Process by which a victim is offered a benefit in exchange for information. This is commonly used by hackers who pretend to be IT Support.
- Baiting: Scenario where something of interest is dangled in front of a victim, usually through peer-to-peer interaction, social networking or in the form of a download.
- Tailgaiting: Process used to gain access to a protected area by following an authorized user into that secured area.
- Rogue: Form of malware that misleads a victim into paying for the “removal” of said malware.
Tips for Avoiding Social Engineering Threats
90% of all cyber attacks are successfully executed with stolen credentials, or socially engineered, from employees. That means that organizations are more vulnerable from inside threats, rather than outside attacks. Educating your employees is half the battle. Here are a few tips on how to avoid such threats at your office:
- Consider the source: Social engineers look for quick wins by using high-pressure tactics to get the victims to act quickly. Research the facts. An email from a trusted source such as a bank, may not always be the bank. Double check emails and never click an untrusted link. Delete any requests for financial information, passwords or offers to help.
- Beware of suspicious links and/or downloads: Hovering over a suspicious link is a good way to tell if the link is valid or not. Although, good scammers can still take you to a bad destination. If in doubt, use a valid search engine to take you to your desired destination.
- Spam filters: Set spam filters to high to prevent any of these suspicious styles of emails from ever reaching your employees.
Social Engineering Insurance. Am I covered?
Despite all the education and preventative measures around Social Engineering, it is inevitable that attackers will still find a way to fool at least one employee at your organization, if not more. It is imperative that organizations review their insurance policies to see what is covered. While traditional commercial crime policies generally contain a computer fraud and funds transfer fraud insurance agreement, many businesses are under the impression that these policies cover loss and breaches from social engineering. This is not true. A basic Cyber Liability policy does not provide you with coverage for events caused by social engineering.
Unfortunately, many of these agreements limit coverage to a direct loss resulting from “theft” using a computer system and not through many Social Engineering tactics. Because Social Engineering tactics generally cause an authorized transfer of funds by way of a fooled employee, the courts rule that these attacks do not fall under the same umbrella of a theft through that same computer system. This leaves many businesses at risk unless you add additional coverage to your current Crime or Cyber policies.
Proper insurance coverage can alleviate numerous headaches if/when data is compromised by Social Engineering hackers. Avoid the headaches and get in touch with Colony West today. Click here.