HR Tips for Preventing Data Breach by Social Engineering
If your organization or company has not yet been affected by a data breach associated with social engineering, it is only a matter of time. The cost of such a breach to a small company can bring financial ruin. The average cost of a data breach, and exposure of personal information, can soar into the millions. For enterprise and small business owners, lost data can cause irreparable financial and brand damage.
Brightmove is a leading provider of recruiting and staffing software. Our business is IT and our products have to be secure. But any network is only as secure as its weakest link, and in most cases, that means humans.
Social engineering methods—and how to avoid them
As a direct point of contact with the workforce, HR can collaborate with management and employees to prevent and detect social engineering tactics. If the U.S. Department of Justice can be hacked through social engineering, as it was earlier this year, so can your organization.
Consider these points about social engineering:
Humans easily become victims of social engineering while on the computer, telephone, or any communication device. Social engineering was not invented with the computer. The legendary Trojan Horse supposedly left by the Greeks as a gift was nothing of the kind. In the end, Troy—like many present day networks—was left in ruins. Where there are humans, there are operators, and computers are just the latest medium for the manipulation. Humans are your weakest link—and also your strongest link if you provide ongoing training on best practices for communications hygiene.
Types of social engineering:
Though they seem obvious, they happen every day—methods humans use to convince or manipulate other humans. The most successful sales people earn their commission from selling their product using white hat social engineering. Just a few methods of black hat social engineering include:
Talking your way onto a network:
Calling an employee at a Help Desk, or emailing an office worker to request assistance getting onto the network is common. Called phishing, bad actors gain the trust of employees through various means in order to get them to reveal password or other information. Many serious hacks occur when employees inadvertently provide login information to criminals. The now famous data breach at Target during the Christmas season in 2013 occurred when hackers gained access to the login credentials of a heating and cooling vendor used by Target. The event permanently impacted the reputation of the Target brand.
- It is essential for HR to work with IT to stay up-to-date on the latest phishing scams. Using social media and in-person training, HR units can establish frequent, ongoing scam alerts to remind employees about how to detect a scam, what to do if they suspect a scam, and most importantly—not to provide further information or follow a link.
Watch your device:
Gaining access to a network through an unattended computer or other device is a crime of opportunity. Be sure all individuals in your office space are authorized and visitors remain in the public space of your organization. Remind employees to use strong password protection on all their devices, and encourage employees to lock their screens when they step away from their desk. Remind employees never to use an unidentified or “found” flash drive in their computer or device. It could be bait. Prohibit the use of plug and play physical media from unknown sources.
On the web:
Develop detailed practices and explanations to raise employee awareness of digital hacking techniques. Friendly, interesting, and fraudulent emails can all contain links that deploy malicious programs into your network with a click. Alert employees that personal information on their LinkedIn profile can easily be used to create an artificial familiarity that leads them to believe the sender of an email is not dangerous. Highlight the insecurity of WiFi hot spots. Watch links provided in emails for misspellings or suspicious domain names that could be spoofing a legitimate web site.
These are just a few of the methods that can expose the vulnerabilities of your network. Your workforce can be your strongest defense against a data breach—or the weakest. As security champions, HR leads the way to digital awareness with training and reinforcement of best practices throughout the company culture.
When you have questions about secure recruiting or back office software—we hope you will call us at Brightmove.