The Socially Engineered Threat
Social engineering is a cyber attack strategy hedge funds must be aware of. These threats encompass a wide variety of attack strategies, and rely on manipulating victims into providing
information. In order to gain access to the targeted network, the criminal will typically call their victim and pretend to be a reliable source. They will then request access to confidential information, such as passwords or bank login information, to supposedly verify an issue. Many times, the victim will not even recognize the threat until they have already divulged their details.
Sometimes social engineering doesn’t even involve a call or an email. Shoulder surfing and tailgating are two very simple, yet effective, methods that cyber criminals often use to gain access to information. In the case of shoulder surfing, a criminal will steal information by looking over the victim’s shoulder as they work on their computer in a public space. In the case of tailgating, the criminal will trail behind their victim as they enter work, and ask for them to hold the door or simply follow them inside before it closes. Once inside the building, the attacker can post false flyers stating IT service desk number has changed.
Baiting is another socially engineered threat that plays off victims’ curiosity. In baiting attacks, the cyber criminal will leave an infected device, such as a USB key, lying around and waiting for a curious employee to pick it up and plug it into their computer. Once this occurs, the criminal is able to gain access to critical systems and information. One of the ways that criminals are able to successfully implement a baiting approach is by first using the tailgating method.
You can minimize the risk of socially engineered threats at your firm by taking the following steps:
- Implement formal internal policies and procedures on security best practices.
- Conduct employee training sessions to educate on the potential warning signs of cyber threats, including socially engineered attacks.
- Employ a Virtual CISO, a highly trained security professional, to explain and manage security practices from both a technical and operational perspective.
- Work with a specialist technology partner who offers a range of services that can meet your needs, integrate with your vendors and exceed the necessary security and compliance regulations. While a specialist partner may not be able to offer as wide a range of solutions as a larger partner, they can provide a more tailored approach and ensure a seamless delivery of services.