Despite the statistics, it often takes a crisis to shift companies into a security-oriented mindset. EY Global
reports that 76 percent of organizations “increased their cybersecurity budget after a serious breach” –
yet another sign that they didn’t take cybersecurity seriously until it was too late.
While preemptive cybersecurity measures like threat assessments and up-to-date security technology
can help companies fend off attacks, what if companies could prevent hackers from selecting them as
targets in the first place? What if, instead of merely decreasing the likelihood that an attack will be
successful or mitigating its consequences, they could decrease their susceptibility to hacking altogether?
Consider the following scenario: The CEO of a company is an active social media user who shares a
whole lot of personal material online – family updates, travel plans, political opinions, daily habits, and
many other forms of identifying information. While this may seem innocuous (it’s not as if he’s posting
bank account information or confidential data), he’s giving hackers a huge stockpile of information that
they can exploit to infiltrate his company.
For example, let’s say the CEO posts about an upcoming conference where he’ll be interacting with many
potential clients and keeping up with his daily responsibilities remotely. This is the perfect time for hackers
to launch a business email compromise (BEC) attack – a form of social engineering in which
cybercriminals impersonate someone in a position of authority at a company to steal sensitive
information.
Little does the CEO know, his email account has been compromised and hackers have been monitoring
his social media profiles for months, giving them abundant information to craft a believable fake email.
They send the CTO a message that goes something like this:
“Hey Jan – IBM is interested in working with us on that infosec project we discussed a few months ago!
I just chatted with the CISO and we have a call set for the Tuesday after I get back. I’d like to show him
the prospectus before I leave, but I forgot my login info. and locked myself out of our system. Could you
send updated credentials ASAP? We’re meeting in an hour.”
All the information hackers needed to create such a realistic scam email could be found on social media,
from a Facebook picture of the CEO with IBM’s CISO at the conference to a LinkedIn post about how
long the conference would last to updates on Twitter about the company’s latest information security
initiatives. This isn’t to say the CEO’s posts were a serious case of security malpractice – social media
can be a great way to generate interest in your company, engage with customers, and share important
information. But even heavy social media users can limit their risk by making their personal accounts
private, only sharing intimate details about their lives with people they know, rejecting strange friend
requests and connections, never posting sensitive content, and considering the security implications of
everything they post.
Cybersecurity professionals have to recognize that even the most seemingly inconsequential disclosures
can lead to multi-million-dollar data breaches, and social engineering hacks like BEC are often what
precede these breaches. The 2018 FBI IC3 Internet Crime Report found that BEC was by far the costliest
type of cybercrime last year, causing almost $1.3 billion in losses. This means the best way to prevent
the most harmful form of hacking is to have educated employees who can spot attempts to manipulate
them and who always verify the identity of anyone requesting sensitive information.
Your first and last line of defense against social engineering hacks like BEC is the development of a
culture of security. Just think of how many billions of dollars and how much consumer trust could have
been saved if even a fraction of the companies hit with BEC schemes last year had better-trained
employees. In fact, if those employees had adopted safer social media habits, hackers may not have
even tried to attack their companies in the first place.