Article Preview
TopIntroduction
Many information security breaches, which transpire in the workplace, are largely the result of noncompliance (intentional or unintentional) to information security policies (Kessler et al., 2020; Safa & Maple, 2016; Verizon Enterprise, 2018). In fact, organizations cite negligent employees as their greatest vulnerability to risk exposure (Ernst & Young, 2019). An International Business Machines (IBM, 2020) security study on the cost of information security breaches revealed that the global average cost of a data breach is $3.86 million. The United States of America recorded the highest average total cost of data breaches at $8.64 million, followed by the Middle East at $6.52 million and Canada at $4.5 million. Conversely, Latin American and Brazil had the lowest average total cost at $1.68 million and $1.12 million, respectively. In South Africa, the average cost of a data breach is estimated to be $2.14 million and takes approximately 228 days to detect and contain (IBM, 2020). A global pandemic, brought about by COVID-19, has caused employers to allow their employees to work outside of the traditional office environment to increase social distancing defense mechanisms (World Health Organization, 2020; Blurke, 2020; Hunter, 2019; Kelly, 2020). This increase in remote working and use of own device for work purposes makes it significantly more difficult and costly to identify and contain a data breach (Baillette & Barlette, 2020; IBM, 2020). Global and local findings show increased budget allocations for automated, physical and technological security systems (Chan et al., 2014; Herath & Rao, 2009; Mouton et al., 2014a). However, information security breaches are on the increase and are largely undeterred (Verizon Enterprise, 2018), particularly concerning mistakes and misdemeanors made by end-user employees (Chan et al., 2014). Within the South African context, scientific and pragmatic research on information security and the multi-inter-trans-disciplinary (MIT) nature of social engineering in the workplace is under-developed. There is a dearth of awareness and implementation of user-friendly resources to sustain a healthy level of security and protection.
Social engineering is a psychological strategy used to manipulate and exploit end-users for personal gain. It is the use of devious and deceptive techniques against the inherent nature of human beings to access sensitive and confidential information in order to achieve an illicit action or omission of action (Jansen van Rensburg, 2017). The root causes of data breaches are categorized as malicious attacks, system glitches and human error (IBM, 2020). Social engineering attacks are the result of one or a combination of these categories. Information security breaches manifest in different ways that include the hacking of Twitter as well as the Zoom and Marriott data breaches (Dutta, 2020). The Marriott data breach involved the theft of half a million global hotel guests’ personal information through credential stuffing and phishing attacks – notorious social engineering techniques (Marriott International, 2020).