Spike in Social Engineering Cyber-Attacks
Technology and Innovation Partner Deirdre Crowley explores how individuals and businesses can protect themselves from this insidious cyber threat
We are receiving a noticeable increase in requests for advice on the legal implications of social engineering attacks. This type of cyber-crime arises where criminals extract information users to compromise vulnerable access points to networks. Social engineering commonly occurs through text messages and email so the human error risk factor is exceptionally high.
Typically we see criminals target usernames, passwords and even multi factor authentication to gain unlawful access to systems. Cyber criminals also leverage online harvesting resources to build a picture of vulnerabilities. Medium to smaller companies appear to be particularly vulnerable due to the interconnectedness of third party suppliers.
The Irish National Cyber Security Centre (NCSC) and the Garda National Cyber Crime Bureau (GNCCB) have recently issued a warning to Irish SMEs in relation to the current spike in cyber-attacks on this sector.
"We have seen a noticeable change in the tactics of criminal ransomware groups, whereby rather than largely focussing on governments, critical infrastructure and big business, they are increasingly targeting smaller businesses. This is a trend that has been observed globally, and Ireland is no exception with several businesses becoming victims of these groups in the past number of weeks." Richard Browne, Director of the NCSC.
What can businesses do to limit the legal risk?
- Educate employees and contractors on common tactics used by attackers through text messages, emails and websites.
- Encourage them to report devices showing unusual behaviour, such as those that are crashing more often or operating slowly, or if they receive suspicious emails or text messages asking for information.
- Conduct regular unprompted simulated social engineering attacks as part of an overall cyber security training strategy.
- Keep a record of all security training.
What are the key red flag risk issues?
- Further Cyber-attacks: It is estimated that 80% of organisations that pay a ransom are attacked again.
- Risk to business continuity in the event of a serious cyber-attack.
- Regulatory risk: Data privacy risk and sector specific regulatory risk such as Central Bank risk for the fintech sector. Note that a key aggravating factor is the frequency of systemic breaches. Routine post breach notification queries can become formal regulatory enquiries.
- Brand damage and reputational damage.
- Data subject risk: notifications, complaints to Data Protection Commission together with associated queries and investigations.
- Actions for non-material damages from data subjects.