What Bad IT Habits Do Cyber Criminals Target?

  • June 27, 2017
  • Print This Post

Part 2 in our Stalk the Stalkers Series

Last year marked the greatest spike of cybercrime in recorded history, per a study by IBM’s “X-Force Threat Intelligence Index 2017.” In 2016, 566% more data records were compromised compared to the year prior, IBM researchers discovered. In quantitative terms, more than 4 billion records were breached in 2016 versus 600 million in 2015.

Social engineering techniques – such as ransomware and phishing – now lead the way in this onslaught by cyber predators. In traditional parlance, a crook who is a “social engineer” would have been called a “con artist.” In the cyber context, social engineers rely on interaction with human beings, not software or hardware systems, for access to networks and databases.

While email is the preferred social engineering method – IBM’s report showed 88% of spam attachments in 2016 contained ransomware – more and more cyber criminals are using the phone, too, talking directly to workers in the grandest tradition of con games. Why? Because they prey primarily on a person’s unconscious habits, eagerness to serve or willingness to be helpful.

For example, an attacker may pretend to be a co-worker who has an urgent business problem that requires access to additional network resources. In many cases, social engineers impersonate authority figures. A cybercrook may steal a CEO’s email signature, for example, and instruct the firm’s comptroller to transfer funds to a bogus bank account.

These attacks can be hard to recognize or track because they are indirect. The individual contacted is not the hacker’s ultimate target. Many times, hackers act like the CIA, gathering enough intelligence on an organization to understand what data the company possesses, who talks to whom in daily workflow, who approves payment or data transfers, and who’s in the firms network of partners.

In any case, social engineering is growing problem for small to mid-size businesses (SMBs), which have become the victims of nearly half of all cyberattacks. Why? One pragmatic theory is SMBs often lack formal IT departments, which can lead to certain “bad IT habits”:

  • Nonexistent or inconsistent network monitoring for security purposes; an SMB may be watching the performance of its network but not the network’s level of cybersecurity.
  • Nonexistent or inadequate mobile policy; for example, what happens when an employee loses a smartphone or tablet tied to the company’s network? And how soon does it happen?
  • Sloppy software maintenance; the updates and patches to a firm’s software applications may not be applied on a timely basis – or at all.

The presence of one or all these technical vulnerabilities can be discovered, verified and/or exploited by social engineering techniques.

So, what’s the best defense for an SMB? Working with an IT Managed Services Provider (MSP) is an excellent start, as most MSPs provide aid and support for each of the above-mentioned issues. And any IT service or policy benefits from user education, especially cybersecurity. For help launching a program at your SMB, see our post “4 Ways to Boost the Engagement (and ROI) of Employee Training Sessions.”

Need Help With
Your IT?

Find a Location


Need Help with your IT?

Find a Location
Near You.


into the evolving world of IT for business.
Subscribe now.

Follow Us
Friend me on FacebookFollow me on TwitterFollow my company on LinkedInRSS Feed

Follow us on Twitter


ITinflections is a blog that covers a wide range of technology-based articles IT in the workplace, focusing on small- to medium-sized businesses.

If you’re looking to improve your company’s productivity through the effective use of technology, enjoy ITinflections, the blog about technology for business.