What You Don’t Know Really Can Hurt You
Social engineers wait for naïve, untrained staff to fall into their traps.
I was 16 years old when I realized the old cliché, “what you don’t know can’t hurt you” was utterly and unequivocally false.
That’s when a police officer pulled me over for speeding on a new stretch of interstate. While the officer wrote out the ticket, I performed a mental calculation; based on the standard fine of $10 for every mile over the limit, I estimated the fine to be $120.
Pretty steep for my shallow pockets, but he did bust me fair and square.
After the officer handed me the carbon copy of the ticket, I was stunned to read the fine would be $360—triple that of my calculation. Confident the officer made a grievous mathematical mistake I disputed his calculations and demanded an explanation.
He calmly informed me of a new law that tripled fines for violations within construction areas. Despite being surrounded by orange barrels and concrete partitions, I protested earnestly that I had no way of knowing about the law and shouldn’t be held accountable.
Suppressing a snicker at my lame argument, the officer slowly leaned forward to meet me at eye level. In a clearly rehearsed manner, he offered this gem of advice: “Son, ignorance is no excuse.”
Had I been aware of the law and the relevant consequences, I likely would have been more aware of my surroundings, kept my speed in check, and moved through the construction zone without incident. So, what I didn’t know really did hurt me.
Without proper security awareness training, most front-line employees at credit unions will be just like my 16-year-old persona: ignorant of the rules, unaware of their surroundings, and oblivious to the consequences.
It’s impractical, imprudent, and quite dangerous to assume regular employees will be able to identify and respond to fraudulent activities without first being educated on how to recognize social engineering techniques.
Fortunately, financial institutions can mitigate their risk exposure from fraud and social engineering in much the same way I mitigated the cost of my speeding ticket: training.
Attending an eight-hour defensive driving class allowed me to get a reduced fine, a less-severe impact to my insurance, and several life lessons that remain ingrained in my memory.
But financial institutions don’t get off as easy. Several years of evidence and comprehensive research around data breach trends prove that financial institutions have too much at stake to wait for an incident to occur before addressing security awareness training.
Next: Two alarming findings
Two alarming findings
The 2011 Verizon Data Breach Investigations Report [pdf] not only provides extensive details on data breaches, it offers compelling evidence that a comprehensive security awareness program is essential to protecting institutions from opportunistic social engineers.
The report claims that of all the breaches stemming from social engineering methods documented in the study, 83% were “opportunistic attacks” on institutions that exhibited a weakness or vulnerability the attacker could exploit.
The report indicates that most of these attacks originated in the form of classic social engineering tactics, including pretexting, counterfeiting/forgery, phishing, hoaxes, and “trusted authority” influence tactics.
Like the police officer in the anecdote, social engineers simply wait patiently for naïve, untrained employees to come along and fall into their traps.
The two most alarming conclusions that should influence an organization’s attitudes toward security awareness training:
- Frontline employees/end users were the targets of 80% of these attacks; and
- 78% of the attacks involved in-person contact.
In light of these results, it’s no wonder that many independent studies show that nearly two-thirds of the organizations that suffer breaches rank security awareness training as their top priority for post-breach remediation.
The same studies consistently indicate that more than 75% of these organizations claim employee education is the most effective way to prevent fraud.
These facts should be enough justification for most organizations to either implement an intensive security awareness training program or at least rethink their current approach.
For those still not convinced, consider that the costs related to data breaches involving social engineering are estimated to be around $315 per record. That’s $100 more than the estimated per-record costs for incidents resulting from other causes.
What your employees don’t know can hurt the entire organization. The good news is that security awareness training isn’t only a proven method of combating social engineering and fraud, it’s a relatively inexpensive endeavor.
It’s certainly less expensive than an actual security breach.