Today’s businesses, both large and small, are becoming increasingly familiar with attempts from outside sources to hack into their systems. To mitigate their risks, these companies rely on the latest high-tech security systems and technologies. Unfortunately, a feeling of immunity can also accompany the use of many such technologies.
However, one simple technique can effectively negate a company’s security plans, and allow access to private/confidential information. This tactic, often used by criminals, is known as social engineering.
The following is an actual scenario provided by Gil Vidals, CEO of HIPAA Vault, involving social engineering:
Andrew, an IT consultant, was attempting to convince the CEO of a company to consider his recommendations towards improving the company’s security infrastructure. Unfortunately, Andrew’s sales pitch failed to gain the attention of the company’s CEO, and he was dismissed.
As a result, Andrew proposed a plan to obtain access to the CEO’s personal salary. He created a fake badge, and pretended he was an IT consultant for the company. He then found some employees in the company’s back parking lot, taking a smoke break. He went over and began to talk and joke around with the employees, and was able to convince them that he was a newly hired IT consultant.
When the break was over, they headed back into the company building. One of the employees used his security access card to open the door, and held the door open for the rest of the employees – including Andrew. Andrew then spotted an empty desk with a computer and asked another worker if the person who sat at that desk would be returning soon. The worker told Andrew it would be empty until the next day as that person called in sick.
Andrew was able to deceive the worker into letting him work on the computer, saying he needed to fix their system. Andrew then logged into the system and was able to access private company files, including the company’s salary file. He pulled up the CEO’s personal salary, collected the information he needed, and emailed the CEO his personal salary.
“How did you get my salary?” asked the CEO, and Andrew proceeded to explain how he was able to infiltrate the company’s system.
This scenario is a perfect example of the simplicity of social engineering. With minimal effort and the use of his social engineering skills, Andrew was able to gain access to a secure building. This led to accessing a computer, and eventually, a confidential piece of information.
Which leads us to ask some important questions: What made this possible? How can we avoid becoming a victim of social engineering?
In this case, the social engineering technique used by Andrew was possible because he was able to easily gain the trust of the employees through the use of deception. Yet the whole situation could have been prevented if each of the employees followed normal security protocols, and individually scanned themselves into the building, one by one.
It was a mistake for the employee – who may have thought it polite to keep the door open – to do this for the other employees. Employee training that reinforces these protocols, therefore, is an important aspect of keeping the company’s private information safe.
Even if your company has never been victimized by social engineering, it’s important to consider how you might become a target. Management should meet to strategize possible preventative measures, including ways to mitigate security breaches and protect valuable company information.
Utilizing an experienced Managed Security Service Provider to help oversee network access, with advanced security tools like protected passwords and two-factor authentication, can also help. Contact local law enforcement or a professional consultant if needed.
