From financial to reputational loss, the consequences of falling for a ‘people hack’ are potentially disastrous for accounting firms and their clients. Social engineering expert Jenny Radcliffe offers tips on how to protect against criminals looking for a way in.
The human element of any security system is always its weakest link. Human beings have gaps in their attention spans and fallible memories, are emotional beings that can be manipulated, persuaded and blackmailed, and can be swayed by flattery, influence and persuasion.
This being the case, as technology gets more advanced and organisations invest more in physical security measures, criminals are ramping up the people hacking (sometimes known as “social engineering) element of their efforts to infiltrate and attack organisations.
Social engineering takes many forms: from bogus phone calls, requests for assistance and fake headhunting emails to talking a way past security, installing surveillance equipment and planting infected USB drives. The list of potential methods is endless, but the goal is always the same: to steal your information, data, identity or cash.
Many of these attacks have a low digital footprint and are, as such, extremely difficult to trace.
The best defence is awareness
As these types of attack increase, companies must learn to protect themselves and the most effective defence is that of awareness.
For example, most people are not even aware of how dangerous giving away even minor operational details of their company is. This is unsafe predominantly because it builds a picture of a company that can be exploited.
Most of us think nothing of posting innocent-enough information or picture on social media sites such as Twitter, LinkedIn and Facebook, without realising that criminals can use all the little pieces of the jigsaw to construct a detailed plan of how a firm operates, and find a way to infiltrate it.
Most larger cons and sophisticated technical attacks start with some sort of intelligence gathering, which will nearly always be based on freely available information hackers can find on the web, or extract via a ‘phishing’ call from employees. This will then be used to help build relationships and target specific staff for their detailed knowledge of the company and access to sensitive data or financial systems.
All firms are vulnerable
All companies have something they wish to protect or keep private, and accounting firms have sensitive client data that, if compromised, could result in the ruin of both the client and the firm itself.
Regardless of the size of the organisation, most practices are vulnerable. While high-profile security breaches such as last year’s attack on Deloitte made headlines for its size and scope, smaller firms are also targets as they are often unaware of the threats, and cannot afford to invest in sophisticated security software or systems or employ a security professional for advice.
However, there are some easy and cost-effective ways to help strengthen our defences from an attack on our people. Here are five things everyone can do to help protect themselves and their organisation better.
- Be cautious about who can see your personal social media profiles. Most posts do not need to be ‘public’ and we should regularly check our privacy settings to ensure that we are not broadcasting details about our lives and family to the entire world.
- Use strong passwords, preferably through a password manager service, which are often cheap and simple to implement. Don’t re-use passwords or write them down.
- Teach everyone in your organisation to be cautious about email and text messages that contain links or attachments. Do NOT click on these unless you are certain that they are from a verified genuine source.
- If a phone call makes you feel rushed, fearful or promises something you weren’t expecting, err on the side of caution, politely hang up and independently verify the caller and situation to check its authenticity.
- Politely and professionally, do not be afraid to question people to check they are who they say they are and have a reason to be there. A genuine customer or visitor will understand that security is in everybody’s interests.
About Jenny Radcliffe
Jenny Radcliffe is an expert in social engineering (the human element of security), negotiations, non-verbal communication and deception, using her skills to help clients protect themselves from malicious social engineering attacks.
Jenny speaks, consults and trains people in the skills of “people hacking” and explains how social engineering using psychological methods can be a huge threat to organisations of all sizes. She reveals how that same knowledge is a valuable tool for security professionals of all types in the prevention of attacks, scams and cons of all kinds.
She is a regular keynote speaker at major security events and has been a guest expert on security, scams and social engineering for various television and radio shows.
For more information visit Jenny's website.