Photo by Soraya Iggy
At Infosecurity 2016, I gave a keynote talk on the elements of human nature and social norms which make us so susceptible to social engineering attacks. Infosecurity invited me to give the keynote drawing on my background in sociology and experience helping organisations mitigate against social engineering.
What is social engineering?
Social engineering is about using psychological tools such as charm, manipulation and deceit to elicit information or access to places and systems from people who should be keeping it safe. We associate social engineering with cyber security, because the way we use technology – the way we share, store and use information on the internet – has increased the attack space. This is why phishing attacks are at a 12 year high.
However, social engineering has undoubtedly been around for as long as mankind. History is littered with examples of it, some of which have been pivotal in social, economic and global development. For example, when the American industrialist Francis Cabot Lowell visited England in the early 1800s, he feigned ill health to win the sympathy of Lancashire mill owners and, using this sympathy combined with flattery, he was given tours of the cotton mills. In doing so he took the opportunity to memorise the mill blueprints. He used this information to build the mill towns of Massachusetts, enabling the United States to become the global leader in the cotton industry.
Why is social engineering so successful?
Whether online or not, we fall for social engineering attacks because they take advantage of human nature, fundamental parts of how we all tend to think and act, and social norms, the cultural and social pressures to do what is generally expected of us. For example, some argue that reciprocity is part of human nature. Our ancestors survived by sharing goods and services before we had currency and governments and so, it is argued, reciprocity is ingrained in our survival instincts. Even when a favour is uninvited, people feel obliged to repay someone who gives them something. This explains why 47.9% of people gave away their password when they were given chocolate immediately before being asked for it.
Much like reciprocity, humanity is innately curious, which brings many benefits. It underpins education, innovation and social interaction. But, when it comes to cyber security, curiosity can be a huge obstacle. Phishing emails thrive on the irresistibility of curiosity, enticing the reader to open the email and click a link or download an attachment. Curiosity may have killed the cat, but it makes a phish live.
People have a tendency to believe stories, whilst being sceptical of facts. Even the most senior and successful people can be taken advantage of by a well-crafted story and their success makes them more likely to both be targeted with social engineering attacks and, arguably, more likely to fall for them, too. This was the case in the recent example of the Austrian aerospace CEO who fell for a spear-phishing attack that cost the organisation £40 million, and cost him his job.
Use of social media has risen phenomenally in the last decade or so, with 20% of the world’s population now on facebook. At the same time, narcissistic personality traits have risen sharply. While a correlation has not been proven, research does suggest narcissism is related to the way young people use social media. Research suggests that the desire to have as many friends as possible, and to want those friends to know what they are doing, is higher among young people with narcissistic traits. This provides perfect breeding ground for social engineering attacks.
We have a tendency to assume that people are rational, and always make rational decisions. But when you’re running between meetings, hurriedly checking emails across devices and you receive a phishing email that plays to base emotions like those outlined above, taking time to make a rational, security-conscious decision is not the priority. Getting through the backlog of emails and progressing business issues is the priority. Mindlessness reigns and, as Dr Helen Langer commented a recent Security Through Education podcast, “when you’re not there, you’re not there to know you’re not there”. As Sunstein and Thaler outline so eloquently in Nudge, our brains are a battleground between Homer Simpson and Dr Spock – a rational, long-term planner trying to reign in a short-termist, impulsive thrill-seeker. Our challenge in battling social engineering attacks is encouraging people to engage more with the Spock in their brain and less with the Homer.
So, what can organisations do to mitigate social engineering threats? Having a robust cyber security culture, in which staff are empowered to challenge and prioritise security appropriately is the key. This culture provides the framework on which policies and procedures are designed and adhered to with security in mind. To achieve this, consider the following:
- Awareness-raising training should be focused on changing behaviours and making people conscious of the most prevalent threats and how they relate to them. So, for example, senior executives and finance staff should be made particularly aware of ‘CEO Fraud’ phishing emails.
- Procedures should be in place to ensure that financial transactions have to be signed off by more than one person. Pressure points in the process, such as a particular member of staff being overworked, need to be identified and managed so that people have more time to follow security procedures whilst meeting business requirements.
- Receptionists should be trained to stick to security procedures regardless of the apparent seniority of the visitor. Senior staff should be trained to know that this is a good thing for the organisation and everyone’s security, not an affront to their status.
- Wearing security passes in a company premises should be mandatory – as should taking the passes off when outside the premises (so that copies cannot be easily made).
- The organisation should have a social media policy which takes account of social engineering attacks.
Developing a strong cyber security culture is not straight-forward and it takes time, but it is worth it.
If you’d like to discuss your cyber security needs and how I might be able to help, or you would be interested in having me speak at your organisation or event, please email me at email@example.com.
— InfosecurityEurope (@Infosecurity) June 8, 2016