The threat of being targeted online is unfortunately becoming ever more prevalent, as our digital footprint grows larger both as individuals and organisations. We have to accept that we will never be 100% safe whilst online, but there are many steps we can take to limit our exposure and decrease our vulnerability – starting with ensuring staff are provided with a cohesive cyber-skills set.
Digital footprint
In order for businesses to operate the devices their employees use to access the Internet they must transmit additional information prior to, during, and after their employees send and receive company data. Nefarious sources are able to identify the devices and networks companies communicate on as well as the software and hardware being used. Collectively, this information is commonly referred to as your digital footprint – and the bigger your footprint, the larger your 'attack surface'. Criminals will always come up with more elaborate ways of extracting data from businesses, through means such as malware, fake websites, phishing emails and more – and if staff aren’t aware of these means, a business is at even higher risk.
We make digital connections that leak data every day. Sometimes this is unavoidable, but what your staff do online and the tenuous connections they make can increase your organisation’s attack surface. Everything your staff members do online leaves a trail. Social media sites also hold a vast amount of personal minutiae. The more information your staff share online, the greater the risk of it, and your company, becoming attractive to cyber criminals.
What happens online stays online!
The data we place online can easily be harvested and added to the data that others place online about us, and it is imperative that staff are trained on this. Facebook has been 'top dog' in the social network world for many years, with the most recent statistics showing 1.39bn active users per month, posting, liking, uploading, and sharing information. This offers a great deal of potential for advertisers, but also to fraudsters – so it’s imperative that your staff understand how sites like this operate and how to enjoy them without giving too much away.
It's not always people you have to think about either. What apps have access to your account? What access do companies your staff have 'liked' on social media have to your data? I suggest you encourage your staff to review their own search privacy, particularly that which allows search engines and advertisers to scour their profiles.
People, processes and technology
World-leading security technologist Bruce Schneier popularised the above phrase as a way of getting people to understand that information security is more than just relying on IT security systems. In many cases, security breaches start off by attacking the human who sits behind the IT systems, e.g. your staff. If the cyber criminals or fraudsters can get your staff to divulge information over the phone, click on a phishing link in an email or visit a malicious website, the bad guys win.
If it can happen to them...
On November 22nd 2014, Sony Pictures Entertainment discovered it had been the victim of one of the worst corporate hacks in history – nearly all aspects of Sony’s internal system had been compromised, meaning the repercussions could last years. Sony acknowledged the security breach to staff as a 'brazen attack', comprised of 'malicious criminal acts'. The group #GOP (Guardians of Peace) claimed responsibility for the attack, prompting an FBI investigation.
In August 2015, hackers reportedly swamped Carphone Warehouse with junk traffic as a smokescreen to distract staff, before breaking into its systems and stealing the personal details of 2.4m customers. Up to 90,000 customers may also have had their encrypted credit card details accessed. Customers with accounts at OneStopPhoneShop.com, e2save.com and mobiles.co.uk are all understood to have been potentially affected by the data breach. Notwithstanding the recent Talk Talk breach with 4m customers impacted, with a very similar attack. It could well be argued that, if staff members knew how hackers of this calibre operated, these breaches could have been prevented.
The threats
Some of the most common threats today are software attacks, theft of intellectual property, identity theft, and information extortion. Phishing attacks are a common example of a low cost attack, and the theft of intellectual property is an extensive issue for organisations. Theft of equipment or information is becoming more prevalent today due to the fact that many devices that staff are using are mobile. Mobile phones, upon which staff keep personal and company information, are prone to theft and have also become far more desirable as the amount of data and device capability increases.
Sabotage usually consists of the destruction or disablement of an organisation's website or services in an attempt to cause loss of confidence to its customers. Information extortion, or ransomware, consists of theft of a company's property or personal information as an attempt to receive a payment in exchange for returning it. It has become apparent that in this digital age, many attacks are pitted against the IT systems we use, and the staff that operate them – meaning the need for cohesive staff training is even higher.
Staying safe
Overall, the best way to prevent being targeted online is to train your staff to take the 'detect, deter, defend' approach. Detect the potential threats by being aware of where they come from; use this awareness to deter from being in a vulnerable position; and defend your business's digital footprint.
