Despite the increased digitalisation and connectedness of organisations, social engineering remains the preferred method of attack when it comes to data compromise.

In fact, recent figures indicate that 79% of social engineering attempts have been successful.

Considering the financial and reputational impact this can have on business longevity, companies must do more to educate and empower employees to mitigate against the risk of this happening.

“Data breaches used to predominantly be an IT problem,” says Kate Mollett, regional manager for Africa at Veeam. “But given how data and technology have permeated every aspect of business today, companies must understand the effect cybersecurity compromises can have on the organisation.

“This is more so the case when it comes to the human element around data protection.”

The real financial impact of a data breach is difficult to quantify. Decision-makers must consider the reputational and brand damage as well as any potential fines if data containing personal information have been compromised.

And, depending on the severity of the breach, some organisations are forced to close their doors given the sheer scale of the loss in consumer confidence.

 

Shopping season is coming 

Seasonal shopping provides an opportunity for hackers to take advantage of peak online traffic and consumers’ willingness to part with their data when buying gifts for Christmas.

We have seen high profile retailers experience technical issues during these critical trading periods and it is when there is downtime or unplanned outages that consumers become frustrated and take risks when it comes to the buying experience.

“In the rush to get that special deal, people can get distracted and even feel compelled to purchase something to save a few rands,” says Mollett. “This presents a significant opportunity from a social engineering perspective to target individuals and compromise their personal data.”

 

In human nature

“Irrespective of whether an organisation is using the most advanced cybersecurity solutions available, people will remain the weakest link in protecting data,” Mollett says. “Social engineering is about manipulating a user group or targeting an individual to share information they would not ordinarily do.

“The reality is that it is quicker to trick someone into providing a password or credentials than it is to hack a system,” she adds.

The rapid digitisation of consumer and organisational records have also seen an increase in global data breaches and cybercrime. The more information that is stored online, the more opportunities exist for malicious users to try and access them.

“Companies are continually building in checks and balances to protect their data. But the human factor remains a challenge. Such is the sophistication of social engineering that many people do not even realise they are being attacked or have been compromised.

“Even though organisations are trying to educate staff about cybersecurity, there will always be nuances that social engineers can exploit.”

However, this does not mean a company should just give up and expect for the worst to happen. Instead, ongoing education must be conducted around social engineering aspects such as increasingly sophisticated phishing attacks.

Hackers use phishing as a gateway to deploy ransomware, so protecting against this from happening should be a significant strategic priority.

 

Information access

Much of this comes down to how people access data. Most companies have embraced the BYOD (bring your own device) mindset and let employees use their own devices for work and accessing the corporate network.

However, some are rethinking this approach. For example, employees cannot take their personal devices onto the trading floor.

“A shift is starting to happen with more companies providing people with cell phones, tablets and laptops for work,” Mollett says. “These can be better secured and form part of a more integrated cybersecurity approach.

“The rise of social engineering and other forms of attack have resulted in businesses becoming more stringent in how data is accessed and shared.”

This benefits organisations with operations outside of the country, especially given the importance of being compliant with GDPR (General Data Protection Regulation).

“The financial repercussions of failing to comply with GDPR are significant. So, not only will BYOD be less of a priority, but user educated will become more sophisticated.

“Teaching employees how to identify an attack, the steps needed to take if they have been compromised, and so on will become mission-critical. This also means that cybersecurity training will need to become top of mind for every individual at the business.

“Training must happen more frequently, new employees must be onboarded more effectively, and the entire approach towards data protection must be evaluated.”

The always-on business environment means attackers will target people irrespective of the time of day. The thinking around data protection must therefore shift into this always-connected environment.

Inevitably, cybersecurity budgets will grow, and the security skills shortage will be addressed. But fundamental to this remains ensuring employees have an awareness around social engineering tactics and can respond accordingly.