Is Your Company Behind in Defending Against Social Engineering Attacks?

If your company isn’t already taking measures to mitigate your risk of social engineering, you’re behind.  That’s the message according to a new report on cyber security and fraud from the American Institute of Certified Public Accountants.

The AICPA’s Semi-Annual Report on Fraud Trends and Topics describes several case studies in which victim companies were defrauded for thousands or even millions of dollars at a time over the past four years. In each scenario, a company employee was tricked through email (and a combination of other communications in some instances) into disbursing funds.  In every example, the fraudster pretended to be a known, trusted party, such as a customer, executive, or vendor.

Reports of phishing and other social engineering attacks targeting businesses are increasing. The FBI’s Internet Crime Complaint Center received 7,838 of these complaints in 2015, totaling more than $263 million in losses, according to its 2015 Internet Crime Report.

The report highlights a glaring problem: employees are often the most vulnerable link in the chain of security. Perhaps your company has invested in security infrastructure, such as firewalls, endpoint security solutions, and Intrusion Prevention and Intrusion Detection Systems (IDS/IPS).  Even with those defenses functioning effectively, authorized users on your company’s network—employees, officers, contractors, and others—have access into the network and to your assets. When a cybercriminal manipulates those users through email into transferring funds or unknowingly downloading dangerous malware, your technological defenses are compromised.

The recommendations offered in the report include assessing your company’s risk related to social engineering attacks, followed by increasing awareness and providing periodic training to employees. The risk assessment should include identifying vulnerabilities in your company’s environment, such as insufficient security training, users who click on links or attachments, and failure to report security incidents.  The report also recommends engaging a cyber-risk security consultant.

Your business is in jeopardy if you don’t understand your cyber security risk and take steps to mitigate it now. By enhancing your defenses against phishing and other social engineering attacks you’ll be better positioned to protect your organization.

To learn more about how Kaufman Rossin can help your organization identify vulnerabilities, train employees on cybersecurity, and assess incident response through phishing simulations and other cyber security services, contact Kaufman Rossin’s IT Security Consulting team.