Regulated industries in the crosshairs
Verizon has been working to enhance security for enterprise customers across various sectors. Notable work comes in helping defend organizations in heavily regulated spaces such as financial services that face growing challenges from two fronts: stricter regulatory pressure and increasingly complex social engineering attacks. At a minimum, corporate devices are a requirement for regulated companies. Using personal devices without recordkeeping software carries heavy legal and financial consequences for regulated organizations, as noted earlier.
In the United States alone, more than US$1.5 billion in penalties have been racked up since the SEC started investigating recordkeeping tactics at financial institutions.6 That includes 16 Wall Street firms that were fined US$1.8 billion for allowing employees to discuss deals and trades on personal devices via text messages/WhatsApp.7 As useful as mobile device management (MDM) software may be in curbing cyber threats, personal devices still carry significant risks; it’s still up to the end user to remember to maintain the security posture.
Corporate devices have security benefits you cannot get with BYOD. Swapping personal devices for corporate-issued ones can allow IT staff to gain a better grip not just on internal/external communications but also on various integrity and security aspects of mobile devices. When organizations offer corporate-liable devices from Verizon, they are gaining enhanced security protections and controls not available on personal devices.
This can help to address common vulnerabilities for organizations. For example, when trying to comply with regulators, many companies are contenting with high levels of robocalls. Unfortunately for banks, robocalls have become tougher to detect because threat actors use advanced deep fake technologies to recreate synthetic speeches, allowing them to impersonate banking customers.
Among the Verizon solutions that can be used to counter such attacks are compliant calling, voice authentication and defense solutions, and voice honeypots across its wireless and wireline networks. Voice and text honeypots capture spam calls and texts targeting Verizon customers. We then use artificial intelligence and machine learning (AI/ML) to process the content, looping in human analysis to review and escalate new scam campaigns for mitigation.
Financial services are not the only regulated organizations under intensive attack. Healthcare providers are also being targeted by opportunist social engineers, with fraudsters focusing on employees similarly through smishing and vishing attacks. Third-party, low-quality internet service providers (ISPs) may sometimes provide numbers to threat actors, who subsequently use the numbers to conduct targeted attacks against those employees.
To help counter these attacks, our threat intel team—using its honeypot with thousands of phone numbers—has a high success rate, to date, in investigating and disconnecting fraud-related phone numbers at customers’ requests. Moreover, the incident response teams have also been able to shut down suspicious numbers.
Organizations also have the ability to go a step further and take a proactive perspective, as Verizon offers executive protection services Our threat hunting team can scour the dark web and help remove personally identifiable information (PII)—such as email addresses, phone numbers and physical addresses—about high-level employees that can be used to target them (and their family and social circles) in social engineering attacks.
Implementing a comprehensive defense plan
The first step any business must take in defending its network from social engineering attacks is to understand the nature of the cyber risks being faced. An outline should be created to establish a clear understanding of how to mitigate, minimize, transfer or accept the identified risks. This risk assessment is a critical step because it allows you to identify your assets, threat entities and risk appetite. From there, putting together a comprehensive defense plan becomes much easier because you know what your security goals are and what red flags to look out for.
A defense plan against social engineering attacks comprises two main functions: threat detection and trust enforcement. Both functions apply equally to help detect and counter high-level threats and low-level vulnerabilities.
Threat detection is a cybersecurity discipline that focuses on identifying and dealing with threats such as cyberattacks, compromises, data breaches and incidents once they occur. This is done by spotting and helping stop unauthorized access, malware, social engineering schemes, etc. Trust enforcement is all about getting out in front of potential attacks by leveraging techniques such as identity management, passwords, encryption, access control, authentication, etc. Both of these functions form the bedrock of a broader defense plan against social engineering attacks that protect networks, applications, devices and identities.
Verizon provides both of these functions in five key areas of control: awareness training, mobile security policy, security protection controls, detection and response, and monitoring and testing across devices, applications, identities and networks.
Social engineering defense plan recommendations