Businesses are facing substantial risks to their finances and data as cyber criminals use information from social media and company websites to target employees in sensitive roles, according to new research. The new “social engineering” threats are posed by criminals who combine digital skills with traditional kinds of deception such as pretext phone calls.
In Great Britain, 61% of business leaders are now aware of the threat posed by social engineering attacks to the business they work for, 62% of businesses issue guidance to staff on both digital security and what kind of personal information to put online and 41% of firms now educate staff that human error is a key cause of cyber security breaches, according to research commissioned by Digitalis Reputation, the online reputation and digital intelligence firm.
However, business leaders themselves are often failing to take simple measures to guard themselves and their companies against social engineering attacks:
- Only 51% of business leaders adjust their settings on sites such as Facebook in order to restrict who can see their profile
- Only 36% act upon changes to privacy settings on social media sites
- Only 24% regularly check what information is available about themselves online or check data sharing policies when signing up to new online services
Dave King, CEO of Digitalis Reputation, said: “Even firms with state-of-the-art computer systems and software are being caught out by criminals targeting a staff member who has given away too much personal information on social media. Criminals use information from social media to craft bespoke phishing emails which show a very convincing understanding of the staff member’s life and habits. In these situations, staff members are often caught out, either directly by giving away company secrets or transferring money to criminals, or indirectly by clicking on links which allows hackers access to the company network. Our research shows that company boards need to rank these “human factor” risks much higher, as they are often relying on technical countermeasures alone.”
Real-life examples of the kind of over-sharing on social media that can lead to social engineering attacks include:
- a CEO who posted his birth date and mother’s maiden name on Facebook, which were then used to initiate an identity theft
- an ultra high net worth businessman whose teenage daughter inadvertently accepted friend requests from an investigator employed by a competitor
- a well-known entrepreneur whose children posted details of their holiday venue, travel and security arrangements online, together with pictures including identifiers such as the number plate of the family car
- a leading businessman whose PA posted detailed biographical and social information on her Just Giving page, while also identifying her boss on her LinkedIn page
While 63% of business leaders in Britain feel their board has a good understanding of the risks posed specifically by social engineering attacks, the new research suggests that even though some are seeking to reduce the risks posed by sharing too much information online, others are failing to do so. 69% of business leaders use different email addresses for home and work, 64% use “strong” passwords and change them regularly and 63% input the bare minimum of personal information when signing up to new services. 61% never share personal information on public platforms, 55% only accept connection requests on social media from people they know and 51% restrict their profile visibility on social media.
Dr Laura Toogood, Managing Director of Private Clients at Digitalis Reputation said: “Social media is a catalyst for social engineering and cyber attacks on firms generally. While there can be good business reasons why firms might embrace social media, business leaders also need to be more aware of the risks to them and their firms of posting personal information online. Criminals can sometimes find just one piece of information very useful, but sometimes nuggets of data that don’t appear significant on their own can be used to build up a very detailed profile of an individual and lead to a sophisticated attack.”
A small core of business leaders has adopted a highly cautious approach to their personal data – 20% of business leaders use encryption services and 18% never use social media because of concerns over privacy. 32% of business leaders said that they are concerned about data security at the companies they work for, according to the survey, which was carried out for Digitalis Reputation by YouGov.
Awareness of social engineering hacks is lowest at businesses with small turnovers (47% of firms with a turnover of under £1m per year) and at businesses established for less than five years (45%). 58% of business leaders at smaller companies (under 50 employees) use different email addresses for home and work, compared to 80% at bigger companies (over 250 employees). In IT and telecoms, 74% use strong passwords, compared to 51% and 48% in manufacturing and in construction. 33% of staff in IT and telecoms companies regularly check what information what is available about themselves online, compared to 16% in the retail sector. 34% of staff at IT and telecoms companies use encryption services, compared to 13% in retail.
The research fieldwork was carried out between the 1st and 8th of February 2016 by YouGov. 1049 completed responses were received, representing business leaders across business sizes in GB.