Spring 2016 issue of Horizons

FEATURE | Social Engineering: Is Your Business Opening the Door (Literally) to Cyber Attacks?

What You Can Do Most of the major breaches reported in the press during the last three years can be traced back to a social engineering attack. If major retailers, entertainment companies, healthcare organizations and service companies with millions of dollars invested in technology can be compromised, what can you do? A lot, actually. Social engineering takes advantage of human trust, and often smaller organizations have an easier time addressing training and trust issues. The following are a few ideas for reducing the risk from social engineering. Knowledge: Half the battle is knowing what kind of sensitive data your company possesses, from employees’ social security numbers to customers’ credit card information. You should know where this information is stored, who can access it and what protections are in place. Internal Controls: Implement internal controls to protect your financial systems from fraudulent transactions, or at least detect them if they occur. For example, many businesses use some form of dual control in their payment systems. One employee might prepare a payment or wire transfer, but it requires the approval of another person inside the company – in some cases, the owner. Training: Take time to train your team about social engineering. Not just the daily phishing

emails, but all forms of social engineering. Encourage them to be skeptical about callers asking for information, and train them to verify a contact’s identity. Don’t just accept that a caller is from your bank – call your bank directly and confirm the call is legitimate. Let your team know how and when to report suspicious activity as soon as possible. Culture: Encourage a culture where it is standard to report potential attempts, including “I may have clicked on something” reports, so you can reinforce training and identify issues early. Technology: Many technology solutions exist to help with everything from inspecting emails for attachments and links, blocking connections to malware sites, requiring strong authentication and logging security events. The key thing to remember is that technology is part of the overall solution. Vigilance: Make the effort to evaluate your security, test user knowledge and assess your organization’s environment on a regular basis to determine where updates or new solutions may be needed. An ongoing process is critical to maintaining security. The dangers of social engineering are real. You can reduce your organization’s risk by using the right combination of people, process and technology.

RubinBrown’s Cyber Security Advisory Services Group RubinBrown has a dedicated team specializing in cyber security services designed to meet each client’s requirements. We provide experienced security professionals for executive consulting, security risk assessments, vulnerability and penetration testing, vendor risk management and specialized security consulting.

Rob Rudloff, CISSP-ISSMP Partner Cyber Security Advisory Services Group 303.952.1220 rob.rudloff@rubinbrown.com

Audrey Katcher, CPA, CISA, CITP, CGMA Partner Business Advisory Services Group 314.290.3420 audrey.katcher@rubinbrown.com

page 20 | horizons Spring 2016