Posted on July 9, 2019 by Louise Howland
In this episode of Cyber Chat, Rob May explains social engineering, why organisations should be aware of it and how they should be training their staff to help protect against an information breach.
Managing the ongoing cybersecurity of your IT infrastructure should be a primary concern – whatever the shape or size of your organisation. Cybersecurity breaches are the number one threat in today’s business landscape. Incidents come in many forms: cyber attacks; laptops left on trains; malicious staff; or, even more simply, accidental data loss caused by human error. The human firewall is vital as a line of defence for any organisation and in this video Rob, author of The Human Firewall (available on Amazon) explains what the Human Firewall is.
Hi, I’m Rob May, I’m MD of ramsac and welcome to Cyber Chat. Today I want to talk to you about social engineering, Social Engineering is the working of people in order to get information that they can use against them. And, social engineering is a huge part of the cyber problem that we all face.
One particular example that I witnessed and I think it’s a good story to tell you in terms of being able to relate to this. A client of ours, the lady on reception received a phone call one day, her name’s Sylvia. Sylvia received a phone call and the person on the end of the phone said We’re doing a quiz this morning and if you can answer 3 simple questions. You’ll win a Magnum of Champagne.” So Sylvia said she was happy to do that and question number one was, Who is the Queen of England? and Sylvia knew who the Queen of England was. Great. Speak speak. Yeah. So question number one was who is the Queen of England, now Sylvia knew who the Queen of England was. Question number 2 was “who’s the Prime Minister of England?” and she also knew who the Prime Minister was. Question number 3 was what accountancy software do you use? Now Sylvia didn’t know that, so, Sylvia called their IT guy, Mike. Sylvia and Mike are good friends and in fact they were going out for lunch that day and Sylvia just said, Mike, quick question, what accountancy software do we use? and Mike said, We use Sage line 50. See you at lunchtime.
So, Sylvia goes back to the guy on the phone and said We use Sage line 50. They say “That’s brilliant 3 questions right, I can send you a Magnum of Champagne. Let me take your details”. Now it won’t surprise you to hear that Sylvia never received a Magnum of champagne. But several days later, a phone call came in asking to speak to IT so the call got put through to Mike. Mike answered the phone. And the guy on the end of the phone said, Hi, this is Sage Technical Support and we can see in our system that you use our line 50 product”. and Mike said. “Yeah, yeah, I do”. and he said , Well, we’re proactively calling all of our users today because we found a horrendous security flaw in the software and we just want to warn you about it, but don’t worry. We’ve written a fix. I’m about to email it over to you. You just need to run the fix and everything will be fine and it’s a neat piece of software. You don’t even need to get all the users out of the system”. So shortly after the phone call Mike received an email that looked like it was from Sage with an attachment, which he ran and when he ran it, almost instantly his whole network started to fall down around his ears and it was a ransomware attack and they wanted €30,000 paid in Bitcoin in order to get their data back. And the thing is so it was a brilliant case of social engineering and I think the thing is that in most cases Mike, who I know well wouldn’t have fallen for that. But on that particular day, He did, and part of our protection when it comes to cyber is that we need to be more sceptical. We perhaps need to trust less we’ve grown up in what is inherently a trusting culture. We need to just trust a little bit less. If i was Mike, I would have been pushing back I would have been checking that it was really Sage. I would have been calling them back, I would have been investigating online to see if anybody else was having any problems with the patch and so on, and so forth. And, I think normally Mike would have done too.
But on this day, he was tricked and he felt for it. And it was very disruptive. Be aware of social engineering, be aware of people and what they are asking for. Just think why are they asking, and are they who you really think they are? Stay safe, I hope that was useful I look forward to speaking to you again, thank you.