Our IT Executive Roundtables are invite-only events hosted by peers for peers that bring together a select group of senior IT leaders from across industries for topic-driven, intimate dialog on current trends and topics. The group met remotely to discuss the challenges of socially engineered attacks led by the Senior Vice President and CISO of a leading international chocolate manufacturer. This Session was sponsored by Abnormal.
Although organizations are investing significant resources into security education and awareness, social engineering attacks remain a pervasive threat. Even the most resilient systems can succumb to targeted social engineering attacks. But why are these attacks still a challenge to mitigate? What occurs during a social engineering attempt, and how can we minimize the risk?
Social engineering relies on different tactics to manipulate people into revealing sensitive information or taking actions detrimental to their interests or those of their organization. These tactics often exploit human emotions and cognitive biases, such as trust, fear, curiosity, and authority, to create a false sense of legitimacy or urgency. Social engineering attacks were easier to detect in the past, but with technological advancements, they have become more sophisticated and targeted. One significant shift in recent years is the rise of third-party breaches, e.g., bad actors compromise a third-party vendor's email system to steal credentials and send convincing emails to the vendor’s customers.
Social engineering is particularly effective because it can hijack the brain, causing people to throw out common sense and defined procedures in favor of acting quickly to address a perceived urgent need. Attackers understand the human psyche and try to leverage our innate desire to help or respond in times of chaos. This can cause people to ignore warning signs and make decisions based on emotional impulses rather than carefully consider the facts.
Our featured speaker highlighted that attackers are continually finding new ways to overcome the improved defensive measures taken by organizations. They emphasized that cybercrime is lucrative, and attackers will stop at nothing to profit. Attackers will continue to adapt and pivot their tactics to remain profitable, just as companies fight to maintain their market share and revenue. Therefore, organizations need to understand that user education and awareness must be an ongoing process rather than a one-time event.
In the current cyber-threat landscape, security cannot solely be the responsibility of the IT team. While they lead the security initiative, involving other stakeholders and promoting a culture of shared responsibility is crucial. Educating corporate leaders about the importance of cybersecurity and empowering them to champion security awareness is essential. Moreover, you must realize that what worked 5-10 years ago may work less effectively today. To enhance your security outlook, you must transition from using traditional security controls to leveraging modern AI-powered solutions and behavioral anomaly detection.
Multiple attendees agreed that striking a balance between security and user experience is critical. Security controls must not impede a person's productivity and instead should be strong but seamless. In addition, it was also noted that the implementation of user-friendly security controls could enhance an organization's security posture. When people find security measures easy to use, they are more likely to comply, reducing the risk of security breaches. Conversely, if a security control causes difficulty completing tasks, people are more likely to circumvent it.
A participant remarked that every organization, regardless of size, industry, or security outlook, is at risk of compromise. They recounted how cybercriminals were able to install a malicious package on their network by hacking their security vendor's system. This story serves as a reminder that even companies specializing in enterprise security are not impervious to cyberattacks. It emphasizes the need for all organizations to be vigilant and proactive in their approach to cybersecurity.