Unified communications channels such as Voice over IP, instant messaging and video conferencing are often discussed for their cost-saving and productivity capabilities. It's no secret that hopping on a video call is a lot cheaper than flying halfway across the world to meet with a client. Nor is it any wonder how the ability to work on any device from nearly any location enhances business productivity.
But unified communications is also an integral component of an organization's security. This is especially true in an era that is increasingly shaping up to be the age of social engineering.
What is social engineering?
While some hackers attempt to orchestrate elaborate data breaches through purely technical means such as identifying flaws in a program's code, others go more directly for the heart and soul of a business: its personnel. Manipulation is the name of the social engineering game. Hackers might use any number of tactics in order to get an organization insider to divulge authentication credentials or company data that could result in a breach. The most common form is probably phishing scams, but extortion and masquerading in online circles as someone you're not also count as social engineering.
"Manipulation is the name of the social engineering game."
With phishing scams, a user will typically receive a message that could feasibly be legitimate. Perhaps it's from a "prospective client" who wants you to review some "company literature." Upon opening the attachment or following a link as requested, the employee unknowingly downloads malware. These attacks can be highly targeted, and some are more difficult to spot than others.
Another increasingly prominent tactic, according to SC Magazine, is the whaling scam. This form of social engineering is summed up by a recent data breach that afflicted the famous messaging application, Snapchat. According to The Washington Post, 700 of the company's current and former employees had personal information compromised after an employee was tricked into sending Social Security numbers, names and salary information to a hacker. Sounds like a big faux pas on first pass, but it's not entirely the employee's fault. The cybercriminal had requested the information while posing as Snapchat's CEO Evan Spiegel – a textbook whaling move. Of course, not all whalers go after data that can be sold on the dark Web. Others may pose as executives in an attempt to have company funds wired to a specific bank account.
Sometimes, social engineering happens at an even more human level. The infamous breach of Sony Pictures that resulted in "The Interview" being pulled from theaters is believed to have happened inside the company. According to Business Insider, "sympathetic employees" let the cybercriminals into the building. The perpetrators are then believed to have obtained an important password from someone in IT, which is how they accessed the company's network.
Of course, these are only a handful of examples of the types of social engineering tactics being used against organizations. Beyond exhibiting human manipulation for a malicious purpose, there is no hard-and-fast profile for a social engineering scheme.
How can UC mitigate the threats?
Communication portals such as email, phone, social media and even instant messaging are some of the common digital avenues used for social engineering. After all, it's much easier for a cybercriminal to pose as someone within an organization when all you have is a disembodied voice or some text on a screen. More importantly, these are all digital portals that have been adopted by organizations in a wide variety of industries. Each of them is at risk of being leveraged for social engineering purposes.
The beauty of unified communications is that it creates a secure user portal through which email, VoIP, instant messaging and video conferencing are all consolidated. A unified activity log of these channels lets users stay on top of all activity and easily catch indicators that their accounts may be in jeopardy. Likewise, employee directories and lists that itemize every employee's contact information reduce the chances that whaling schemes will be successful. If a manager receives an email from his or her CEO requesting the Social Security numbers of all employees, he or she can verify the request immediately over instant message or make a quick call directly from the VoIP softphone.
Many unified communications solutions also include door buzzer features that allow staff to verify the identity of visitors before they are allowed to enter. This can mitigate the risk that a cybercriminal will walk freely into a building and trick employees into divulging company secrets. In the event that there is an intrusion, or any office emergency for that matter, E911 systems immediately alert designated employees, and provide law enforcement with the precise location from which the call was made.
By no means is unified communications a substitute for strong cybersecurity. However, the ability to consolidate multiple channels of communications – and verify suspicious internal requests that might come from personnel in other corporate locations – can help foil lying and manipulation schemes of cyberattackers. And in the current cyberthreat landscape, every little bit helps.