The Social Engineering Factor in Security Breaches

Paul Mah
Slide Show

Data Breach Costs Hit $7.2 Million and Show No Sign of Leveling Off

Report finds compliance pressures and cyber attacks drive companies to respond more quickly and incur higher costs.

Security and data breaches are hardly new, and if recent news reports are anything to go by, they have picked up recently. Having read about the stories with interest, as well as reporting on some of the cases, I cannot help but notice the social engineering angle inherent in many of them.


Take the case of the ex-Gucci network engineer who was alleged to have accessed his former company's network without authorization. The crux of the illicit access appears to revolve around how the man tricked the IT department into activating a stolen VPN token device. According to the statement from the district attorney's office, this opened the way for him to gain remote access via the VPN gateway and subsequently sabotage the network using his knowledge of administrator-level passwords.


In the RSA security breach that I wrote about last week, it was revealed that a spear-phishing campaign enticed an employee into viewing an email containing a specially prepared file titled, "2011 Recruitment Plan.xls." The system never stood a chance once the spreadsheet was opened, since the innocuous document contained an embedded Flash file that exploited a new security vulnerability to surreptitiously install a backdoor.


While traditional wisdom calls for training to increase the computer-savviness of users, new research suggests that this alone is inadequate. The multi-university study, "Why do people get phished?," offers an in-depth exploration as to why people fall prey to phishing scams. What I found to be particularly interesting was the finding expressed in the executive summary:

The study also showed that a person's competency with computing did not protect them from phishing scams, but their awareness about phishing in conjunction with healthy email habits, helped them avoid online deception.

Taken at face value, it would appear that computer skills alone do not render one any less susceptible to phishing attempts. And given that phishing is really one facet of social engineering, it goes to say that the best defense against trickery in general is not to merely go for more courses, but to stay in the loop with regard to new exploits and digital trickery.


In this context, it is probably more useful for SMBs to forward regular summaries of recent scams and write-ups of social engineering attacks than to keep sending security reminders and the company's computer usage policy that nobody reads anyway.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.