Social engineers are targeting those in the manufacturing sector in increasingly complex forms and even the most well-trained member of staff could accidentally download malware or click on a malicious link.
Businesses in the manufacturing sector should be well aware that they are a huge target for cyber attackers.
They are often large companies with a vast number of employees and connections with numerous contractors and supply chains, all offering entry points to the corporate system which cyber criminals will look to exploit.
But when it comes to cyberattacks, most businesses in the sector would probably assume that their employees could spot and avoid social engineering scams – dodgy-sounding emails or suspicious phone calls designed to trick people into disclosing sensitive data or downloading malicious software onto their computer.
Emails from a ‘Nigerian prince’ that you’ve never heard of asking for money, or a typo-riddled email asking for bank details will usually be swiftly deleted.
But social engineers are now targeting those in the manufacturing sector in increasingly complex forms. While traditional scams are well known, other forms of social engineering are much subtler, and might take the form of an “IT technician” entering the workplace and physically hacking a machine, or a cleverly designed and personalised spear phishing email that claims to be from your CEO or regular supplier.
And it only takes one employee, clicking on one malicious link for a company’s entire IT system to be affected.
Plenty of personal information is now available online, with even more situated on the dark web following a string of data breaches. This data is certainly enough for any social engineer to impersonate a close friend, colleague or authoritative figure, with the aim of tricking someone into revealing sensitive information.
That said, you would have to be pretty inexperienced to fall for a social engineering scam, right? Wrong. Anyone can become a victim of a social engineering attack.
In May last year, Waltar Stephan, CEO of plane part manufacturer FACC, believed an email purporting to be from another senior member of staff was real, and took part in a ‘secret transaction’ which cost the company approximately £39m.
Defending against this threat is increasingly important as social engineering is becoming more inventive, more sophisticated, and more widespread.
A study by Proofpoint found that social engineering was the top attack technique for beating cyber security defences.
Employees are, and always will be a businesses’ weakest link when it comes to security. Many will have access to sensitive corporate information, and more junior members of staff in particular may not be aware of the potential consequences of this information falling into the wrong hands.
When it comes to safeguarding a business from this threat, employee education is an important component. This should cover basic cyber security hygiene such as regularly changing passwords and training on how to spot and avoid any malicious correspondence.
It is also important that staff feel comfortable enough to report any incidents, in order to ensure any issues are addressed as soon as possible.
Unfortunately, even the most well-trained member of staff could accidentally download malware or click on a malicious link. Individuals would understandably be keen to open that attachment purporting to be from their CEO.
Companies should therefore see employee training as a process which complements their security software.
For companies in the manufacturing sector, it is crucial that they get their cyber security foundations right, as this will be the best defence against social engineering scams.
Relying on detection-based technologies will always give cyber criminals an advantage, since companies only know that they have been targeted once attackers are in their system.
Therefore, the best advice is to be proactive and implement protective security technologies that prevent cyber criminals from entering the system in the first place.
For example, giving staff limited access to certain files could prevent them, or anyone who has control of their device, from copying confidential information or changing the network settings.
This can be particularly important for junior staff members, who are often the first target of social engineering attacks, as they may not fully understand the value of the data on the corporate system. Limiting their access to any files or information above their job role will certainly help to mitigate the risks.
Another fundamental piece of software is application whitelisting. This will limit the potential damage caused by a user downloading malware accidentally, even if that user is a CEO who has access to all sensitive data.
These basic cyber security measures can help to mitigate the majority of social engineering attacks – manufacturers and their employees just need to be aware of the threat, and prepare by getting the foundations of cyber security right.
This will provide peace of mind if they become a target and means that they can get on with their day jobs without worrying about manipulative cyberattacks.