Are Third-Party Social Engineering Gaps Leaving Your Organization at Risk?
Phishing is one of the top ploys used by cybercriminals to gain access to your network. In 2022, the number of phishing attacks skyrocketed, with 61% more assaults as compared to 2021. Additionally, 76% of these involved targeted spear-phishing designed to harvest credentials. The bottom line– bad actors would like nothing better than to infiltrate your network, and they’re using employees as their targets. Employees are the first line of defense for all organizations– except when there’s an absence of social engineering training and testing.
According to data from the CyberGRX Exchange, 83% of third parties say they’re conducting social engineering training, but 42% aren’t testing whether it’s effective or checking the level of staff vulnerabilities. Houston, we have a problem.
Behavior is a better indicator than knowledge– if your third parties aren’t doing sufficient training and testing, what are the risks to you and what action should you take? We gathered Erich Kron, Security Awareness Advocate at KnowBe4, Dave Stapleton, CISO at CyberGRX, and Peter Finter, CMO, to talk about third-party social engineering gaps and the impact on your organization.
Listen in now:
The Importance of Social Engineering Training & Testing
Social engineering is a psychological manipulation that coaxes victims into divulging sensitive information to gain access to your systems, network, or data. When an organization does not do social engineering testing, it may be at a higher risk of falling victim to social engineering attacks.
Some of the possible consequences of not doing social engineering testing include:
Lack of awareness: Without social engineering testing, employees may not be aware of the potential risks of social engineering attacks, making them more susceptible to falling for phishing scams and other types of social engineering tactics.
Lack of preparedness: Without social engineering testing, an organization may not be prepared to respond to a social engineering attack. This can lead to confusion and a slower response time, which can prolong the damage caused by an attack.
Data breaches: Without social engineering testing, an organization may be more likely to experience data breaches as a result of employees falling for phishing scams or other types of social engineering tactics.
Financial Loss: Social engineering attacks can cause financial loss to an organization, either by stealing sensitive information or by compromising the organization's systems.
Reputation damage: an organization that falls victim to a social engineering attack may suffer damage to its reputation which can lead to loss of customers and revenue.
Security awareness training and social engineering testing can help organizations identify employee vulnerabilities, and develop strategies so that attacks have a lower chance of succeeding.
We polled our webcast audience on the types of social engineering testing they are doing. The overwhelming response was simulated phishing attacks, though some are doing multiple types of testing.
Social Engineering: A First-Party Perspective
Social engineering is typically thought of as a first-party activity: how can you make sure your employees are making good decisions to protect your organization?
Instead of taking a blanket, general approach to social engineering awareness, start by pinpointing your company’s risk. Dave Stapleton shared the approach he uses at CyberGRX: “We start with an emphasis on risk. What are we going to focus on protecting? Which data? Which systems?
Once you’ve identified specific assets you need to safeguard, the next step is to identify potential attackers, considering who is going to threaten the digital crown jewels of our organization.”
Finally, Stapleton thinks about the specific kinds of social engineering attacks threat actors may use to try to snatch the rubies and diamonds of information and access credentials. He explains, “CyberGRX has a lot of intellectual property. We know that threat actors want access to it. They may start a phishing email, maybe using some spoofing as well. Thus, it’s essential to identify the crown jewels the digital burglar may be after, which thief may have their eyes on them, and what tactics they may use to gain access.”
After the what, who, and how, have been identified, you can design your social engineering program accordingly. “Now we have a good idea as to what we want to train our employees on,” Stapleton explains. “How do you spot phishing emails? How do you spot a specific kind of targeted phishing email? If it looks like it comes from the CEO, for instance, how do you resist the urge to click on it?” Conducting tests, such as simulated phishing attacks, is the final piece, giving employees the chance to demonstrate how they resist the threat, as well as self-evaluate their performance.
“It is commonly understood that we need to plan and implement controls, but we also need to test them. We can't expect our stakeholders to excel in cybersecurity unless we are willing to engage them with exercises, scenarios, and opportunities to put concepts into practice,” added Stapleton.
Using Employee Decision Data to Inform Future Training
To further bolster your anti-social engineering system, Erich Kron advises that after training and testing with simulated attacks, you should examine employee decision data, then use this to adjust your next training. “Look at what your people are clicking on,” he says, “and use that to shape your future training.”
How Often Should You Do Social Engineering Training?
We asked Erich, “What is the optimal cadence for your social engineering program?” “Frequent training is preferable to once a year or even once a quarter,” advises Kron. He goes on to recommend that even though each training doesn’t have to last longer than five or 10 minutes, they should be held frequently, such as every month.
In addition to high frequency, you should design anti-social engineering efforts around current concerns and conditions. Kron explains, “For instance, right now it’s tax time. People are trying to get victims’ personal information so they can execute tax fraud.”
New Dogs with New Tech—Using Old Tricks
Even though the tech used by threat actors has advanced, the phishing techniques are the same. As Erich Kron puts it, “We’re still dealing with social engineering and phishing that’s been around forever.” He continues, jokingly, “I think the second message ever sent on AOL was a phishing email.” Then, on a more serious note, Kron points out, “Phishing scams are still very effective. They’ve got this down to a science.”
Beware of Social Engineering-as-a-Service
The rise in phishing attacks may be due to the ease of execution for bad actors. Similar to ransomware, which has recently entered the “as-a-service” sphere, hackers can purchase pre-designed phishing attacks—as well as the support infrastructure to execute them—on the dark web. Not only do these dark services manage the entire backend of an attacker’s phishing campaign, but they even correct grammatical errors so digital thieves sound more credible.
Which Computer Are You Logging into? Are You Sure?
A highly-sophisticated social engineering technique involves a hacker setting up a connection between your computer and theirs. Then, when you enter your login credentials, you end up logging the hacker into the system. MFA isn’t slowing them down, either. Once you’ve logged the attacker in, Kron explains, “Their computer caches that session, and the system they’ve hacked no longer asks them for a username and password.”
Social Engineering: A Third-Party Perspective
As much as we think about social engineering to protect our organizations, we have to widen our lens to consider what our third parties are (or aren’t) doing, too. In the battle to combat social engineering tactics, many vendors are missing a key weapon in their arsenal: testing the level of employee susceptibility. Their security awareness testing poses a risk to you, as they are taking a gamble on the savviness of their employees. Should they get breached, the bad actor now has an “in” to your network, too.
As an example, the recent Reddit breach resulted from a highly sophisticated phishing attack targeting Reddit employees. Or Slack, a popular app many organizations use, was also targeted, and a hacker stole "tokens" from a “limited number” of Slack employees. Twitter too, was breached, and once inside Twitter’s systems, was able to move laterally. And the list goes on.
The bottom line is whether a vendor can access an internal system or merely has a few extra contact details you can’t find online, a successful third-party phishing attack can be a danger to you.
What to Do if a Vendor Doesn’t Use Social Engineering Testing
In some cases, a vendor that doesn’t implement a social engineering testing system may not pose a threat. For example, if the third party has minimal access to your network, ask the question, “Would their compromise have an impact on my organization? Will they have access to sensitive data?” advises Stapleton.
If the answer is yes to either of these questions, look internally to see what changes you can make to mitigate the risk the vendor presents. If there’s not much you can do, it may be best to start looking for a different third-party solution.
In the end, to combat third-party social engineering gaps, focus on the human factor and assume a shared responsibility approach. Phishing emails will get through, so you—and your vendors—need to train employees on how to resist clicking them. And regardless of the measures your vendors have in place, closing security gaps involves teamwork, working with them, doing your part, and assuming at least some level of responsibility whenever possible.
Get Cyber Risk Intel delivered to your inbox each week: