Oscar Wilde once said that “the cynic knows the price of everything, but the value of nothing.” The recent MGM and Caesar’s entertainment hacking attacks demonstrate that someone greatly undervalued the low cost of cyber security awareness.
Hackers used phishing attacks to socially engineer access into sensitive computer systems managed by billion dollar companies. After gaining access, these hackers took over the systems and demanded huge ransoms in exchange for the return of control and data.
The multi-million dollar ransom paid by Caesars shows that neglecting inexpensive cybersecurity awareness programs for employees can lead to very high costs for companies.
Social Engineering Enabled the Attacks
These hacks demonstrated the power of social engineering attacks. These types of attacks exploit the weakness inherent in the human factor. The attackers used simple phone calls to employees within these companies to circumvent extremely complex cybersecurity systems. The employees were the weak link that the hackers manipulated to gain access to sensitive data and systems.
This simple con job stresses that comprehensive security is useless if employees aren’t aware of the risks and the many different types of attacks. The fact is, securing various system access points throughout a company is very difficult because of the potential for human error. Employees are the first and last line of defense.
They are the gatekeepers to critical systems. When they are made aware of the threats and the types of attacks that they could be subjected to, they’re in a much better position to ward off these simple yet effective types of attacks. Just imagine, the MGM is a 34 billion dollar company that was overthrown on a 10-minute phone call!
Awareness to Avoid Exploitation
Social social engineering relies on manipulating human psychology rather than attacking Technical Systems directly. These tactics can include phone calls or phishing emails designed to trick the recipient into clicking bad links or providing login credentials.
Bad actors may impersonate managers or outside entities to make their unusual requests seem legitimate. Social engineering exploits our natural human tendencies towards curiosity, our desire to be helpful, or even fear of a negative consequence.
That’s why it’s so important that employees understand these techniques. This is especially true if they’re taking phone calls from the outside. When they understand the various risks and the types of attacks, they are gaining a priceless cybersecurity skill that is a comparatively low-cost security method.
As we’ve seen in the case of the MGM and Caesar’s entertainment, there are potentially weak links if companies do not take this threat seriously. Of course, that’s not to say MGM or Caesar’s doesn’t have this training. At least one of these attacks came through an outside IT vendor.
Don’t Dismiss the Basics
Still, the message is that it is critically important to provide regular training for employees, and insist on this training for any vendors or contractors that have access to your systems. Anyone with Admin-level access should receive regular reminders about the dangers of suspicious emails and the links and attachments within them.
Suspicious emails may contain spelling errors or threats of unpaid accounts. They may ask the recipient of the email to click on a link with very little explanation. Some of these emails may make suspicious requests for sensitive information like passwords or account numbers. Employees should always be extremely cautious of attachments or links if the sender is from an unknown source.
Best Practices Include Awareness Training
Because these types of attacks can vary in type and complexity, regular detailed training is a must. Critical thinking is superior to reflexive compliance when we’re going through our workday. Attackers rely on our stress, our busy days, and packed email accounts, to slip in odd requests from seemingly reputable sources.
Managers must employ best practices for the training of their employees and vendors. Companies should actively train employees on creating strong, unique passwords for each of their accounts. They should be relying on multi-factor authentication whenever possible.
In addition, employees should be trained on reviewing the “From” window of emails to closely examine even legitimate looking email sources. Some attacks substitute letters in the email address to mimic reputable sites. For instance, they may substitute the letter lowercase L with a capital I. Imagine getting an email from “capitaIone.com”- that is NOT “capitalone.com.” This spelling error makes the website look legitimate. This is a common method used to trick people into trusting the source of the email.
Of course, any outside contact requesting a payment or threatening the collection of some unpaid bill should be scrutinized closely. Employees should be aware that attacks come in various forms. Threats of dire consequences often indicate an attempt at manipulation.
And of course, any kind of suspicious activity that an employee encounters should be reported.
Not to Sound Like a Broken Record, But,
If we haven’t belabored the point yet, it’s important that companies prioritize ongoing cybersecurity training. One-time training is not enough. Just talking about the situations like the Vegas attack and telling employees to “be careful,” is just not enough.
Professional training should be thorough and ongoing. It should include regular testing and confirmation that the employees understand the threats involved. Companies should regularly conduct concise, straightforward cybersecurity awareness training to remind employees about current threats and effective precautions.
Obviously, some of the best training you can get will be from cyber security experts. Those who are on the frontlines of emerging threats are in the best position to help employees to stay vigilant. Hackers are constantly developing new ways to exploit company systems..
Social engineering will continue to be one of the weakest links in any company. There will be more companies that fall victim to this type of attack. However, this doesn’t have to be the case with your company. Companies stay vigilant by promoting cybersecurity awareness among their employees and monitoring emerging threats.
Key decision makers, managers, and owners, play the key roles in deciding whether or not these types of training and awareness programs exist within their companies. Employees are pivotal in protecting a company’s assets and customer data.
It’s important to take these lessons seriously. Attacks on major corporations like in Las Vegas demonstrate that it can happen to anyone. While we can do our best to stay informed, you may ultimately choose to pursue professional help.
If so, please contact us at Acuity for more information on cyber security awareness training and support. Don’t stop by only creating a firewall for your systems, but a human firewall to protect against social engineering and phishing attacks.