CUNA: Defending against data breaches using the 'human firewall'
Wednesday, November 15, 2017
Most cybercrime employs social engineering, Jerry Beasley of TraceSecurity told attendees of the CUNA/National Association of State Credit Union Supervisors Bank Secrecy Act (BSA) Conference Tuesday. Beasley explained that social engineering techniques are deliberately designed to people’s inherent vulnerabilities.
“A significant part of all data breaches involves some form of social engineering because it is taking advantage of the human condition,” he said. “Basically, it’s usually getting people to make some kind of decision based on what they’re seeing or hearing in a message.”
According to a 2016 report on data breaches from Verizon, 35% of data breaches are caused by social engineering. Hacking causes 62%, while physical breaches cause 6% and malware causes 2%.
The top social engineering technique is called “phishing” and it has seen a 95% jump in recent years, which has been attributed to state-affiliated espionage, Beasley said.
Phishing involves an individual getting an email that looks to be from a financial institution, utility company or retailer, asking them to click on a link to provide them with certain information.
Attacks generally employ persuasion, impersonation, urgency or novelty to catch someone’s attention. Attackers then rely on individuals trust, curiosity, conditioning and lack of defined protocols.
Scammers can send individuals emails that look to be from a financial institution, or utility company, or even a personal email from a co-worker.
Credit unions should strongly consider social engineering prevention training that:
- Must be frequent;
- Is conducted on a varying schedule and in varying formats, including a personal greeting or member account action;
- Reports what went wrong and what was successful;
- Should illustrate the impact with pictures, videos or descriptions of the events;
- Is realistic, using tools and techniques from real attacks; and
- Measures specific actions, such as clicking, downloading, following links and opening attachments.
“I’ve never seen an institution fail to see a change once they enacted a program to combat these kinds of attacks fail,” Beasley said. “You generally see an increased awareness, a change in attitude and more comfort when it comes to dealing with cybersecurity.
He demonstrated how one campaign led to near-elimination of employees who fell for the fake phishing emails over a six-month training period.