To the dismay of organizations big and small, the use of technical skills and old hacking methods to breach a company’s firewall are being pushed aside as more hackers turn to social engineering to get what they want. But what does this shift mean for companies and customers?
Why hack the whole system when you can attack the weakest link
To put it simply, social engineering, in terms of cyber security, is the act of exploiting human behavior - in this case, deceiving individuals in a company to divulge confidential information in order to gain access to restricted company secrets. Perhaps the scariest thing about social engineering is that many traditional cybersecurity tactics only go so far in preventing it.
As an example, it wouldn’t matter how strong a firewall a company has built if one of its users isn’t educated on the importance of not clicking on a seemingly innocent link, a simple mistake and a split-second action can lead to a tremendous negative impact. This is what makes social engineering so powerful.
No more forced break-ins. When it comes to social engineering: buildings, systems, and data centers can be accessed with minimal technical skill, so long as the person trying to get in knows a little bit about human behavior along with its vulnerabilities.
While a hacker will scour the systems looking for vulnerabilities in software, social engineers are more apt in dialing up an employee directly, posing as a tech support member who needs their password.
On paper, social engineering attempts may sound easy enough to spot and avoid. However, when studying the numbers, that’s clearly not the case.
Social engineering is growing
Not only is social engineering a proven effective technique, but it’s also getting worse. There are a thousand examples of social engineering that one can use to gain access to a sensitive area, whether online or offline.
Phishing emails are among the most well-known, and despite that, more than 80,000 people still fall victim to those misleading links each and every day. The reason is simple: the attempts continue to get more and more convincing.
In a given day, around 156 million phishing emails are sent out. Of those, about 16 million make it through automatic spam filters and half of those messages are opened by unsuspecting individuals simply checking their inbox.
From the more than 800,000 phishing links that are clicked every day via this method, about 10% of people will leave their sensitive information on the bait website. That could mean anything from a social media login to a credit card number or even a work password. It all depends on what the social engineer behind the scheme is trying to gain access to.
That information that gets collected is then put into a database. It may be used in a specific attack against a company or sold to advertisers, other scammers, or another group altogether for reasons of profit and financial gain.
Bottom line, these statistics are shocking. So, how can it be prevented? Karri Kurunmäki, one of the founders of HoxHunt, says prevention is rooted in education.
Preventing social hacking
Behind a strong tech company, there’s a strong market and a customer pain that is desperate for a cure. Hoxhunt is working to solve the one problem that cybersecurity professionals all around the world are facing: there’s a massive need for user education, yet a massive lack of resources to deliver that education.
At the average organization, there’s about a 40% chance that someone will fall victim to a phishing attack and leak sensitive information. What’s even more unfortunate is that only about 5% of real attacks get reported.
User education is the cornerstone to preventing phishing and other means of social engineering, and so that’s exactly what Karri Kurunmäki and Hoxhunt have set out to deliver to the masses.
Following the implementation of Hoxhunt’s automated phishing training, the average risk of falling victim to a phishing attack drops to just 2%. Meanwhile, the reporting rate of real attacks rises to an astounding 70%.
These numbers are achieved by turning an organization's employees into the greatest asset against social engineering ploys. Conventional cybersecurity approaches focus completely on chasing the threat of a given day. Hoxhunt focuses on empowering employees instead so as to shield the organization from attacks at the frontline.
“For companies, this form of user education will benefit them greatly. Without such education, employees are significantly more likely to fall victim to a phishing attempt that could harm not only their personal lives but the entire company as well”, Kurunmäki summarizes.
Gamification is the key
Of course, the concept of user education is not new, so why is Hoxhunt any different? The answer to that question lies in the approach. Whereas conferences and seminars will have low interaction and engagement rates on behalf of the employees a business is trying to train, Hoxhunt takes a fun and gamified approach to this technical subject.
“Just about every organization out there faces malicious emails, whether it’s Ransomware, CXO Scams, or Credential phishing. Raising user awareness through posters and one-off meetings simply are not effective ways to fight these ever-advancing social engineering tactics”, Kurunmäki explains.
That’s why Hoxhunt works to raise awareness while also teaching users how to respond the right way once they have recognized an attack attempt. By simulating attacks automatically and periodically, employees learn to identify and handle them appropriately.
Employees who respond by reporting attacks are rewarded with points (including being put on a company-wide scoreboard), and reports are neatly assembled on a set schedule using a plugin that easily integrates with Gmail and Outlook. In fact, ease is at the center of the system.
The entire Hoxhunt program can be set up in about 20 minutes with G Suite or Office 365 and employees will immediately become immersed in the anti-phishing training.
These so-called "human firewalls" have already been created at companies like IKEA and Nets thanks to the implementation of the Hoxhunt plugin. This fully automated micro training regime includes individual learning paths and multi-language support to ensure the most widespread implementation options possible.
The company recently raised 2.5M€ from Dawn Capital, one of the leading VCs in Europe.
To learn more about putting cyber security on autopilot, visit hoxhunt.com. Additional references of this post include getcybersafe.gc.ca. Photo by Senja Larsen.