When you think of a hacker, what comes to mind? Do you picture someone dressed as a burglar sitting at a desktop computer in a dark room? If you do, then it’s time to reconsider that idea. For this month’s security focus, we’re going to talk about social engineering and how it turns the hacker stereotype on its head.
Social engineering is a non-technical method of human intrusion that relies on human interaction and often involves tricking people into divulging confidential information or breaking security procedures. Hackers use social engineering to trick their way into obtaining confidential information and bypass IT security defenses. Today, almost 80 percent of cyberattacks begin with tricking a human (Verizon and US Secret Service Data Breach 2014 report).
It’s tough to protect against social engineering for a few reasons. For one, the manipulation of a person is not something that can be prevented with more complex passwords or a new hardware purchase. Also, social engineers can be hard to recognize because they are excellent at acting like they belong in whatever environment they are trying to hack. They are friendly, knowledgeable and even flirtatious, because they depend on human tendencies to be naturally trusting, willing to help and not want to appear stupid. It is easy to see how someone would open the door for a person claiming to have forgotten their security badge or give information over the phone to someone calling from the IT department.
The best defense against this ever-growing threat is to train staff to be on the lookout for common social engineering tactics. More than 95 percent of past breaches were a result of human error, so develop your training with the assumption that your staff will make mistakes.
Here are some best practices to prepare your staff in the event of social engineering:
- Question strangers and always verify someone’s identity before revealing any confidential information.
- Never give confidential information over the phone.
- Keep an eye out for suspicious emails requesting information.
- Do not be afraid to involve a manager.
- Be skeptical!
- Know who your vendors are and always ask to see ID from anyone claiming to be from one of your vendors.
You could also consider simplifying the vendors you deal with by selecting one that delivers multiple solutions to address the most challenges facing your organization. This eliminates the need to deal with multiple vendors and can reduce the risk of falling victim to a social engineering hack.
Identifying a social engineering attack is hard, and some of the best practices outlined above go against human tendencies and a healthcare professional’s inclination to help others. Payers can empower staff to use their better judgment and train them to recognize suspicious behavior. Role-play human hacking scenarios and create a security verification checklist for staff to complete before sharing anything confidential or granting access to anyone. And most importantly, practice. Social engineering methods will continue to evolve, so it is important that your staff be aware, cautious and skeptical.
“Did you miss last month’s Payer Security Focus? Read Preventing Ransomware in Healthcare” here.