There is a very real risk to business security from Social Engineering attacks. By manipulating employees or others with legitimate access to business information, an attacker does not need to breach corporate firewalls or "brute force" passwords, they could potentially gain entry to, or control of business data or systems by persuasion and deception. According to Gartner analyst Rich Mogull, "Social engineering is the single greatest threat to enterprise security".
Attacks often take the form of the (now well publicised) "phishing" emails which appear to be from a well known organisation, typically a financial institution, and seek to obtain personal information. More sophisticated attacks involving targeting of an organisation, can comprise a complex operation building on publicly available information about a business, its employees, clients or suppliers and seeking an end goal which could be simply obtaining confidential information, compromising user login credentials to provide unauthorised network access, or in some cases convincing the victim to trust a 'spoofed' email combined with software in order that this malicious software is unknowingly installed creating vulnerabilities on an entire network.
In the case of larger companies using overseas outsourced call centres, there is a real concern that there is a risk to data security through bribery or corruption of low paid workers with poor morale - would you attack the data centre or pay off an individual?
According to research by Azeem Aleem of the Institute of Criminal Justice Studies at the University of Portsmouth, SMEs are most vulnerable to "trust-based" or "authority based" manipulation, where an attacker attempts to gain information by building a relationship with an individual or by convincing them that the attacker is of importance. He goes on to say “Social engineering is a growing threat to security in the corporate environment, with skillful and criminally-minded ‘engineers’ gaining employees’ trust in order to exploit loopholes”.
If an unknown person turned up at your office with appropriate information about your company or your IT provider, offering to assist with an IT problem or replace a "faulty" item of hardware, would they get through the front door?
How much information would a confident, manipulative attacker be able to get from a professional adviser / accountant / lawyer / IT Support company about a client's business? What could a low level employee at one of these firms be persuaded or manipulated to do in order to assist an 'important' person in your company?
As always with IT security, the key first step is raising awareness – recognising you may be vulnerable and identifying what information of a business, or its clients, is at risk. Discussion and incorporation into policy can then follow.
