In recent years, Advanced Persistent Threats or APT have emerged and have become increasingly sophisticated. They use insidious social engineering techniques to access corporate networks and conceal malware. Cybercriminals then use the malware, at an opportune moment, to retrieve sensitive or valuable information (intellectual property, confidential information, credit card data, etc.) resulting in data breaches and significant business impacts.
Most of the defense strategies used against advanced persistent threats place the emphasis on data protection and network monitoring, but do not consider the human factor. Yet, it is often human weakness which enables the success of social engineering techniques, such as phishing and, more specifically, spear phishing used with APT.
For this reason, businesses should place greater emphasis on developing awareness and providing training to their employees on the subject of the various techniques to prevent them falling victim and avoid the materialization of threats. In an article from Trend Micro, it is recommended that a proactive security program emphasize three main ideas.
- The first idea is to educate staff on advanced persistent threats and potential consequences. This program should explain the social engineering principles and the psychological techniques being exploited (fear, urgency, trust, etc.). The guidelines must also include the practice of concepts learned.
- The second idea is to evolve traditional learning (reading a book) by training staff to deal with real social engineering situations. This can be accomplished through phishing simulations.
- The third idea is to make known and understood what information may be disclosed securely and without consequence. Indeed, employees are not always aware of the repercussions of sharing information online.
It is important that employees remain vigilant and aware of the importance of their role in mitigating the risk of targeted attacks, such as social engineering.
Source: Trend Micro