Security training and awareness must focus on risk scenarios that include the human element. The is especially so in light of the 2017  Verizon’s Data Breach Digest report that 90 percent of data-loss incidents have a phishing or social engineering component.

The cost of a data breach for both large and small to medium-size enterprises continues to rise. In addition to the financial loss there is also the reputational cost to consider. Indeed, a recent PCIpay survey found that one-fifth of US consumers never return to breached brands. In addition, an RSA survey found that 62 percent blame the company first in the event of a data breach rather than the hacker. 

Companies with authentication processes, firewalls, VPNs, and network monitoring software are still wide open to an attack if an employee unwittingly gives away key information. Security training and awareness the includes the human element is vital for enterprise survival. A simple social engineering attack, such as a phone call (vishing), can have devastating consequences.

Vishing – A Simple Yet Dangerous Social Engineering Attack Vector

Vishing, commonly known as voice phishing or phone elicitation, is quickly becoming one of the most dangerous social engineering attack vectors. Employees in customer service, sales, and HR departments are highly vulnerable to these types of attacks.

For instance, consider what happened to the Boulder Valley School District in 2017. To start with, an attacker did research and collected publicly available information regarding contracts between the school district and its contractor, Adolfson and Peterson Construction Company. As a result of this research, the attacker could now pretext as an employee of the construction company.  The attacker then called the school district’s accounts payable department requesting that the school district change the way they pay the construction company. The accounts payable department complied and began sending payments to a fraudulent bank account the attacker had set up. Eventually, the school district became aware of the theft when they started to receive late payment notices from the genuine Adolfson and Peterson Construction Company.

In the end, the School District was conned out of $850,000, all because of a simple phone call. If this had been your company, how would you have fared? Are your employees trained to identity vishing attacks?

Training and Awareness Are Vital

As seen from the example above,  an investment in security education, training, and awareness is truly vital for enterprise survival. So, how can you train your employees? Simulated vishing attacks are an effective way to assess your enterprise.

To illustrate this point, Social-Engineer, LLC, an information security consulting and training company, made over 20,000 vishing calls over the last three years, analyzed the data and pinpointed clear weak points in a corporation’s security. This year, at DerbyCon 8.0, Chris Hadnagy, CEO of Social-Engineer, LLC and Cat Murdock, a pen tester for the company, presented their findings. Three key takeaways from their analysis are:  

  • Vishing calls are more successful in the afternoon. 
  • Friday is the most vulnerable day for employees. 
  • HR open enrollment (for US-based clients) is the most successful pretext.  

The Value of Awareness Training

As can be seen, the value of simulated vishing is clear. With just those three takeaways an enterprise now has actionable information to implement security improvements. As noted by Chris Hadnagy at DerbyCon, “your team will be more vulnerable on Friday.” With this in mind, SE Vishing Service (SEVS), such as provided by Social-Engineer, LLC , can provide help in these 4 specific ways:   

  • Simulated attacks are an effective way to assess vulnerabilities.  
  • Extensive reporting provides actionable data about employee responses to various vishing attack scenarios.  
  • Identify which departments or employees are most susceptible.  
  • Based on results from vishing assessment, develop a continuous assessment and training process to successfully combat vishing attacks.  

Make Security Culture a Core Value

Given these points, creating a culture of security must be a core value for any enterprise. With just one phone call, an enterprise can suffer devastating consequences. Therefore, invest in and implement security training and awareness that is multi-layered. And by all means, do not overlook the human element. Teach employees how to identify and respond to vishing threats. 

In conclusion, data breaches will happen. However, the risk and cost to your enterprise can be mitigated through effective security training and awareness that includes the human element.  

Watch Chris Hadnagy and Cat Murdock at DerbyCon