Not every attack on data and systems comes directly via cyber attacks. Andy Swift explores the role of physical social engineering techniques and what organizations can do to increase their resilience to such attacks.
Defending against cyber attacks remains high on the agenda for most organizations as they try to keep up with today’s unpredictable threat landscape. But safeguarding against all types of attacks is an unremitting challenge, with cybercriminals continuously refining their techniques to take advantage of the changing ways people work, live, and interact.
A growing concern for security teams currently is the increasing number of breaches resulting from insider security threats. Recent research indicates that nearly half of organizations were targeted in this way within the last year, and nearly 75 percent cited that such attacks had become more frequent.
However, while the dangers from digital threats such as phishing, social engineering, and malware have been well publicised, the security risks linked to physical spaces have often been overlooked and under tested. This is despite the ramifications for businesses being equally devastating if criminals gain access to security credentials, confidential data, and customer information.
Human trust is brazenly exploited
The opportunities within physical workplaces, whether offices or any kind of premises, have spawned another category of malicious tactics developed by cybercriminals, termed as physical social engineering (PSE). Broadly speaking, this refers to deception using psychological techniques and interpersonal skills to trick employees into giving access to unauthorised physical spaces and sensitive data.
Perhaps it might seem unlikely that anyone would be duped easily into letting an outsider onto work premises in the first place but, as with all social engineering, PSE relies on a clever cocktail of human trust, kindness, and complacency. Let’s face it, who hasn’t opened the door for someone seeming to be a courier delivering an urgent package, or assumed that an unfamiliar face is a legitimate employee, contractor, or supplier? Not to mention the carte blanche that exists for someone wearing a high-visibility jacket! But it’s no laughing matter, as this type of deception is successful because no-one thinks to ask for further identification. What’s more troubling is that some ruses are even simpler, like tailgating, when an attacker just brazenly follows an employee into a building or restricted area.
Hybrid working favours the attacker
Without doubt, the problem has been exacerbated by the rise of hybrid working; and hackers haven’t been slow to spot this weakness. Employees don’t come into direct contact with their co-workers as frequently as in the past and they are often reluctant to confront someone they don’t recognise, presuming they are another co-worker. This gives physical hackers free rein to pose as a member of staff or contractor, fitting in with usual working behaviours like hot-desking and exchanging pleasantries at the drinks machine. Unfortunately, it doesn’t take long before an imposter is accepted as just another familiar, friendly face. Then the intruder is free to spy on unsuspecting employees, working out how to get into restricted areas such as data centres and computer rooms, or accessing information from unattended workstations – and reading those helpful sticky notes frequently on display to remember ‘confidential’ passwords.
Creating a proactive security culture
Organizations need to wake up to the potential risks posed at physical workspaces, whether that’s their own buildings or serviced premises. A good place to start is by raising awareness about the various forms of physical social engineering such as tailgating, impersonation, and pretexting (fabricating a plausible scenario). Then, follow up with regular training sessions to educate employees on how to recognise PSE tactics and engage them in role playing to practice ways of responding in real-life situations. Scheduling in refreshers and sharing regular reminders will encourage staff to stay vigilant. Getting leadership involved helps too, as when employees see senior executives taking security training seriously they are more likely to do the same.
Ideally, issue best practices as company policies. For example, this could include never leaving desktops unattended or plugging in discarded USBs, and implementing a clean desk policy to ensure important information isn’t left lying around. Additionally, ensure that confidential paperwork is destroyed instead of thrown in bins for anyone to sift through or remove.
It’s also important to establish a clear and responsive process for raising concerns about a suspicious incident or individual. Let employees know how to report issues without fear of embarrassment if they make a mistake.
Penetration testing must include physical security
All aspects of physical security must be included within wider penetration testing programs, which have traditionally focused solely on cyber resilience. Using specialist third parties to carry out red team exercises directed at physical security measures and access controls will highlight any vulnerabilities or gaps that may have been missed by internal reviews. It will also determine whether staff are security conscious or are unaware of potential risks and need additional training.
Hackers are constantly perfecting ways of breaching an organization’s cyber defences to reach their most lucrative assets, and while physical security measures keep lagging behind digital strategies they will happily take this route to steal information and credentials or plant their malware.
By emphasising the need for constant vigilance and shared responsibility for protecting physical workspaces, organizations can create a more proactive security culture to thwart the increase in PSE attacks. This will help ensure that malicious actors aren’t mistakenly welcomed into the workplace to carry out their crimes and slip away unnoticed.
Andy Swift is Cyber Security Assurance Technical Director, Six Degrees