Situational Awareness – How Strong Are Your Spidey Senses?

How aware are we of our surroundings? What is happening around us that we are not aware of? Being more cognitive of our surroundings at work and at home can bring a lot of positive results to our corporate security posture.

Social engineering attacks continue to pose a massive threat to organizations across all industries. The social engineering family includes phishing via email, vishing via phone call, smishing via text message, on-site impersonation breaches, and so on. These attacks have grown in popularity over the years as organizations have strengthened their technology security controls. When it becomes too difficult for a hacker to breach a firewall or crack a password, they will try to trick an employee to open the digital or physical door for them. Compass IT Compliance offers assessments in all these areas to test an organization’s strength with a simulation, and you would be astonished to learn how many organizations fail by a large margin on their first assessment!

Training your staff to recognize social engineering threats is key to mitigating the risk a security incident or data breach. Continuous security awareness training is a must, and some organizations have begun taking it a step further by conducting Situational Awareness for Employees (S.A.F.E.) training. S.A.F.E. training can heighten your employees’ awareness of what is happening around them. The program can teach employees how to become more situationally aware and how to protect themselves and their organization by being able to identify potential threats in real time. This can enable your employees to spot pre-threat indicators as they arise. Who is suspiciously hanging around in the company’s smoking area that does not belong? What questions are being asked of your employees, either over the phone, in person, or via text/email? These observations could be the precursor to a social engineering attack.

Here is another way to look at it: throughout the workday you may have dozens or hundreds of staff in your organization with their eyes glued to screens. Various alerts and notifications will appear, and how the employees interpret and respond to these signals is key. A well-trained employee becomes a watchman for the organization, reporting suspicious activities the moment they appear, and by doing so helping to prevent an attack or catch it in the very early stages. The more employees that are well-trained, the more watchmen you have helping to guard your organization’s technology. It is important that employees feel comfortable reporting anomalies, even if they are the ones that caused them. In nearly all cases of data breaches and ransomware attacks, there was an anomaly or threat indicator that either went unrecognized or ignored.

This past July, Twitter saw some of its most prominent accounts fall victim to a breach that stemmed from a social engineering exploit. Several malicious actors carried out a highly targeted spear-phishing campaign over the phone to trick Twitter employees into giving them access. After stealing employee credentials and getting into Twitter’s systems, the hackers were able to target other employees who had access to account support tools. From there, the hackers were able to send tweets from 45 accounts, access the direct message inboxes of 36 accounts, and download the Twitter data from 7 accounts. The tweets that were sent out by the hackers encouraged readers to send $1,000 to an anonymous Bitcoin address with the promise their money would be doubled. Compromised accounts that sent out these tweets included Barack Obama, Joe Biden, Mike Bloomberg, Jeff Bezos, Bill Gates, and Elon Musk to name a few. Although Twitter acted fast to remove the hacker’s access and take down the Tweets, the hackers were able to scam people around globe out of more than $100,000 in Bitcoin. The hackers have since been apprehended by authorities, but the example goes to show the trouble that can be caused when employees do not recognize or report the signals of a social engineering attack.

Your employees are your first line of defense and training them continuously can inexpensively strengthen your overall organizational security posture, mitigating the risk of a successful attack. Compass IT Compliance is an industry leader in providing security awareness and S.A.F.E. training, social engineering assessments, and phishing assessments to organizations across the nation. Our experts live and breathe social engineering, competing in competitions and receiving training from the best in the industry, including Chris Hadnagy, Joe Navarro, and Yousef Badou. Contact us today to learn more and discuss your unique situation!