Observations from a Social Engineering Security Assessment
As a Threat and Vulnerability specialist, I regularly perform Social Engineering Assessments. These can consist of sending phishing emails, testing the physical security of an organization, and making vishing calls to see how much confidential information employees are willing to divulge to a simulated bad actor. Last week was no different.
The vishing engagement was aimed specifically at coronavirus implications to cyber security for a well-established medical-treatment company. I noticed some stark contrasts to previous engagements, as well as between employees still in the office and those working from home. Anecdotally, I thought this was worth sharing as the shift to a remote workforce may be similarly impacting other businesses.
Loss of Procedure
Employees who were working remotely appeared unable to follow previously established procedures. In this case, they likely lacked access to their employee directory. Confirming my proposed identity may have been impossible.
The employees who answered their phones were more gabby than usual. Perhaps it’s because isolation had made us all a bit hungrier for social interaction. Having longer, more human conversation isn’t bad in itself. The danger is that it provides more opportunity for a bad actor to relate and build false trust. These types of calls increase the likelihood of bad outcomes.
The remote employees were much harder to reach than typical. In fact, even though I spoofed the company’s phone number, most didn’t answer their phone. Whenever I’ve hosted tabletop exercises in the past, I’ve asked, “Will you be able to reach this team outside of business hours?” Companies always answer, “Yes.” However, this is hard to test for some companies, and often there is no need to unless a major incident occurs. Should a cyber security issue arise, companies with unresponsive staff will have time working against them.
This pandemic presents a new security risk in itself. What bad habits may they be prone to when working from home? Can they be reached in a timely manner?
Based on my observations, I recommend increasing communication with your team. Make sure they have needed tools and encourage them to maintain security procedures. Ensure that team members have access to your VPN. Confirm they know who to contact about any phishy emails or phone calls.
Finally, strongly consider using this shift in workplace to your benefit. If you have the ability, consider having the security habits of your employees tested. The vulnerabilities discovered from testing during this time will be beneficial into the future. They may help your company institute new procedures that tighten security or improve business practices for the long run.
Read more about how to work from home safely during the COVID-19 pandemic here.