Beware non-sanctioned business tools during lockdown

Beware non-sanctioned business tools during lockdown

Cybercrime presents a bigger risk than ever during lockdown, but social engineering can be used to help mitigate risk, say UCT specialists.

Speaking during a webinar hosted by the Western Cape chapter of the Institute of Information Technology Professionals South Africa (IITPSA), University of Cape Town (UCT) technical specialists said social engineering was a key method used to access networks – usually for financial gain. With more people working remotely during the lockdown, the risk of cyber crime increased, but awareness could be raised by using the same social engineering techniques criminals use.

Jamiela Dawood, UCT Technical Specialist and Ghamza Jacobs, Senior Systems Engineer at UCT, described social engineering as both a ‘Jedi mind trick’ and old-school con artistry.
Jacobs said; “Social engineering could be applied to manage social change and regulate the future development and behaviour of a society, or by using deception to influence a person to take an action that is not in their best interests.

Noting that cyber criminals were quick to move to new technologies and exploit users’ naivete, Jacobs said attacks on South African organisations were increasing. “South Africa is on the radar, and we can no longer bury our heads in the sand. We saw a 75% increase in digital banking fraud between 2017 and 2018, at a cost of R262million in 2018. At the same time as the number of cash in transit robberies started decreasing. For criminals, it’s safer to commit crime from behind a keyboard. Often they will just get the user to open a door for them and they will steamroll in and take whatever they want.”

Social engineering for good

Dawood said that attacks were increasing despite stepped up efforts to implement cyber resilience strategies. This was because the softest target in any organisation is the human being, and social engineering tactics are regularly employed to leverage off this perceived weakness to gain unauthorised access. Social engineering is the art of manipulating people into breaking normal security procedures and best practices.
Dawood said: “To understand why cyber criminals are still successfully attacking organisations using social engineering, we need to understand how people make decisions and how social engineering succeeds.”
To do so, the UCT team applied the Principles of Persuasion outlined by Dr Robert Cialdini of Influence at Work and conducted an experiment on the UCT campus to determine how much information they were able to obtain from subjects. They found that by using the six principles – reciprocity, scarcity, authority, consistency, liking and consensus – they were able to get students to share personal information and scan a QR code with no concern about whether it contained embedded malware.

Said Dawood: “We decided to apply the findings to our campaigns. We at UCT now apply these principles of persuasion to our cyber security awareness campaigns for students and staff. By tapping into these, and using social engineering for good, we have had some success. So, while phishing still happens, the number of people who respond and report early has increased.”

Stepping up security in the 21-day lock down

IITPSA CEO Tony Parry asked the specialists for their top advice for maintaining security as an unprecedented number of people became remote workers during the lockdown. “As ICT professionals, we have a duty of care to help secure our businesses and citizens, and support business as usual – particularly at this time,” he said.
User awareness is crucial to mitigating risk, they said. Dawood said UCT had issued comprehensive information packs to support remote workers and maintain cyber security.

Jacobs noted that sanctioned technology and applications were key: “During this time, cyber criminals could try to spoof legitimate tools and trick users into downloading a malicious programme. So it is very important that users are not left to their own devices to Google business tools and download any applications they find. Employers should always have sanctioned technologies and services, and they should create a trusted source for particular purposes. They need to be clear on what they should be using and where to get it.”

IITPSA (Institute of Information Technology Professionals South Africa), formerly Computer Society South Africa (CSSA), is a professional body, recognised by the South African Qualifications Authority (SAQA). Established in 1957, the Institute has a long and proud history of service to, and representation of, South Africa’s ICT professionals and practitioners, attracting a broad and active membership from all levels of the ICT Industry. For more information, go to www.iitpsa.org.za

Ends