Humans will always be the weakest link when it comes to security. An agency can utilize top-tier encryption, employ the world's best cybersecurity experts and spend millions of dollars on its defenses, and all it takes for a hacker to gain access to private data is for someone in HR to fall for a social engineering attack.
People often focus on areas like network vulnerabilities when it comes to cybersecurity, but hackers are all about taking the most efficient route. Why would they spend days or weeks looking through an agency's network for possible exploitations when they could spend 20 minutes lying over the phone or through an email? Although more "traditional" hacks are certainly something to worry about, agencies need to increase awareness about social engineering and how it can be used to steal private information.
Government agencies have been socially engineered before
The discussion surrounding social engineering of government institutions isn't a thought experiment or some future problem to be dealt with later. It's a very real concern that is affecting agencies right now. In fact, such an attack levied against the Department of Justice ended with a hacker leaking the information of more than 20,000 FBI agents and nearly 9,000 Department of Homeland Security workers.
According to TechTarget contributor Michael Heller, the whole debacle started when the cybercriminal gained access to the email account of a DOJ employee. After that, the hacker contacted the DOJ helpdesk, claiming that he wasn't able to get onto the DOJ's Web portal which allows access to the agency's intranet.
Rightfully so, the first thing the DOJ employee did was ask if the hacker had a "token code" that he could give to confirm his identity. When the criminal explained that he hadn't received one, the DOJ worker made the grave error of simply giving him one without asking any further questions. With access to the database, the hacker grabbed as much information as he could and quickly disconnected.
Although it doesn't look like the cybercriminal got any data that could affect national security, this attack shows just how weak the human element of security is. A DOJ employee attempting to help out a struggling new co-worker devolved into a massive data breach with thousands of people's personal information being compromised. It's a major problem facing the country right now, and there isn't a piece of technology made that can fully fix it.
No one is doing social engineering training
The main problem at hand right now is the fact that very few organizations, both private and government, are taking the time to teach their employees about the risks of a social engineering attack. Most people are inherently trusting, a trait that hackers routinely exploit. Staff members need to know that giving up login credentials to someone over the phone without confirming their identity isn't being compassionate, it's a major security problem that needs to be stamped out.
Sadly, CEO of consulting firm Social-Engineer Chris Hadnagy knows that almost no one is actually taking this kind of risk seriously. Hadnagy has found in his time within the cybersecurity world that around 93 percent of institutions don't educate their employees about the dangers of phishing, one of the most common forms of social engineering. That's an alarmingly high number of exploitable organizations, showing just how widespread this issue has become.
What does social engineering education look like?
Although there are multiple different kinds of social engineering, an agency looking to shore up any knowledge gaps within its staff can still increase security through basic education. Microsoft has created a comprehensive guide to what a phishing attack looks like that would be a great place to start. Something as simple as a spelling mistake in a formal email could be indicative of a social engineering attack, as hackers aren't as concerned with proper sentence structure as an actual employee would be.
Another extremely important lesson to impart on staff members is that they should be extremely wary of trusting sob stories. A common tactic is for a hacker to tell an employee they're scared about something like forgetting their login credentials again and that they don't want their boss to find out and fire them. A more empathetic worker might take pity and give this person the information they're looking for, perhaps even keeping the incident quiet and giving the cybercriminal more time to finish his or her work.
Basically, it's important to emphasize to employees that they are just as much a part of data safety as the IT cybersecurity measures currently in place. Being compassionate while at work is fine, but that shouldn't translate to giving up login credentials to someone over the phone or through an email without proper verification. The private government data at stake is worth the extra effort.