SOCIAL ENGINEERING
“ The most common definition of social engineering is the use of deception or manipulation in order to obtain confidential information or gain access to secure areas.”
thing. More often than not, social engineering techniques will not even involve computers. With that in mind, it should come as no surprise that social engineering is not covered as part of standard cyber policies. Instead, social engineering claims fall under either their own standalone category of insurance of as a rider attached to a crime policy.
The most common definition of social engineering is the use of deception or manipulation in order to obtain confidential information or gain access to secure areas. There are generally four steps by which this occurs: information gathering, relationship development, exploitation, and execution. The entire process, ultimately, relies on trust. A social engineer will either gain the trust or manipulate the trust of individuals in order to accomplish their own goals. An oft-reported security industry statistic states that social engineering attacks usually result in losses for companies( per occurrence) of $ 25,000 to $ 100,000.
Social engineers use a slew of techniques and those techniques are varied in nature. However, there are some common schemes which they utilize more often than any others.
This list is not meant to be comprehensive but, rather, to give a brief overview of some common attacks:
• Impersonation of a person in authority, be it a member of management or a fellow employee.
• Phishing is a process through which they call or email and ask for confidential information. This is often done through the pretext of the caller being, again, in a position of authority.
• Forensic recovery will see the attackers collecting information from old and discarded documents and equipment.
• Attackers may simply tailgate behind another employee entering a facility or through presentation of themselves as someone who has business there but“ forgot their credentials”.
Defense against social engineering begins and usually ends with training. Employees need to be trained and educated in the methods that social engineers use. Companies should also have policies put in place designed to mitigate their risk in this area.
Here are some suggestions, but these are by no means comprehensive:
• Never release sensitive or confidential information to anyone you do not personally know without proof of their identity from a trusted third party and never share anything via phone or email.
• Have set procedures for the verification of incoming checks and any outgoing transfers.
• Have set procedures for the verification of customer or vendor details.
• Only open emails from trusted sources and be very wary of unsolicited emails of any kind.
• Do not respond to offers made via phone or email.
• Perform a security assessment through which you identify who in your organization has access to information and what sensitivity level that information lies at. This assists in the identification of the most likely targets for social engineering schemes.
The final line of defense against social engineering attacks should be insurance. Understanding where your potential risks are coming from when it comes to social engineering, knowing the techniques being used to attack organizations, and protecting yourself from those techniques are all part of the same puzzle. Benson Kearley IFG can help every step of the way. For more information or to review your policies, contact Peter Lough at 1-800-361-2140 ext 1275 or plough @ bkifg. com. +
BY: PETER LOUGH, COMMERCIAL ACCOUNT EXECUTIVE, BENSON KEARLEY IFG
Peter Lough is a Commercial Account Executive at Benson Kearley IFG. His expertise in corporate Risk Management is supported by prior experience in the Mutual Fund industry. He is a former Professional Lacrosse player, most recently with the Toronto Rock, and has represented Canada at an elite athletic level in both lacrosse and hockey. He successfully obtained his Canadian Accredited Insurance Broker designation.
FALL 2016 | 31