A version of this article was first published on HIPAA Vault’s
Today’s businesses, both large and small, are becoming increasingly familiar with attempts from outside sources to hack into their systems. To mitigate their security risks, these companies rely on the latest high-tech methods and technologies. Unfortunately, a feeling of immunity and security against hackers can accompany the use of these technologies.
However, one simple technique can negate a company’s security plans, and allow access to private/confidential information. This tactic, often used by criminals, is known as social engineering. Social engineering involves psychologically tricking an individual into doing something that may affect the security of their system, such as disclosing or providing access to personal information. Access to personal information may then be used by the criminal for unlawful purposes, with the intent to damage an individual’s personal welfare.
Here is an actual scenario provided by Gil Vidals, CEO of HIPAA Vault, involving social engineering: Andrew, an IT consultant, is trying to ask the CEO of a company to consider his recommendations towards improving the company’s security infrastructure. Unfortunately, Andrew’s sales pitch failed to gain the attention of the company’s CEO, and he was dismissed. As a result, Andrew proposed a plan to obtain access to the CEO’s personal salary. He created a fake badge, pretending he was an IT consultant for the company. He then found some employees in the company’s back parking lot, taking a smoke break. He went over and began to talk and joke around with the employees, and was able to convince them that he was a newly hired IT consultant. When break was over, they headed back into the company building. One of the employees used his security access card to open the door, and held the door open for the rest of the employees – including Andrew. Andrew then spotted an empty desk with a computer, and asked another worker if the person who sat at that desk would be returning soon. The worker told Andrew it would be empty until the next day, because that person called in sick. Andrew was able to deceive the worker into letting him work on the computer, saying he needed to fix their system. Andrew then logged into the system, and was able to access private company files, including the company’s salary file. He pulled up the CEO’s personal salary, collected the information he needed, and emailed the CEO his personal salary. “How did you get my salary?” asked the CEO.
This scenario is a perfect example of the simplicity of social engineering. With minimal effort and the use of his social engineering skills, Andrew was able to gain access into a secure building. This led to accessing a computer, and eventually, a confidential piece of information.
This leads us to ask some important questions: What made this possible? Can this be prevented? What can we do if we become victims of social engineering?
In this case, the social engineering technique used by Andrew was possible because he was able to easily gain the trust of the employees through the use of deception. Yet the whole situation could have been prevented if each of the employees followed normal security protocols, and individually scanned themselves into the building, one by one. It was a mistake for the employee – who may have thought it polite to keep the door open – to do this for the other employees. Employee training that reinforces these protocols, therefore, is an important aspect of keeping the company’s private information safe.
Even if your company has never been victimized by social engineering, it’s important to consider how you might become a target. Management should meet to strategize possible preventative measures, including ways to mitigate security breaches and protect valuable company information. Utilizing an experienced Managed Security Service Provider to help oversee network access, with advanced security tools like protected passwords and two-factor authentication, can also help. Contact a local law enforcement or a professional consultant if needed.