You are a security threat!

| March 23, 2018

Are you a security threat to your business?

At first you might not think so – after all it’s your business that you have started, nurtured, grown and developed so why would you threaten it? However, even with the best security and antivirus systems in place your business is vulnerable because of you.

It is usually through a human ‘error’ that cybercrime is perpetuated, and systems are breached. In my article ‘Social Engineering in Cybercrime’ in this series I discussed some of the common types of hacking techniques such are pretexting, diversion, baiting, phishing, waterholing, and quid pro quo.

Each of these techniques rely on the hacking manipulating or conning a human.  So what actions can you use to mitigate a cyberattack through ‘human error’?

Policies and procedures

Good security policies will go some of the way to prevent social engineering attacks by providing examples of good behaviour to follow. This might be as advanced as a policy on how IT staff reset passwords or as simple as a policy that disallows work email addresses being used as usernames.

It might also include an employee code of conduct policy that outlines expectations as well as punishments if the rules are broken. It goes some of the way though – it’s a bit like having a speed limit on a road – people are aware of the rule, the speed limit, but it doesn’t stop people speeding.

The development of the policy might be as useful as the policy itself because in developing the policy requires you to think about how possible attacks might occur, and then how to mitigate the risks.

Awareness and training

By making your staff aware of cybercrime, and common ruses and threats, they will be aware of the risks they face and make decisions that are better informed and therefore become less likely to fall victim to cybercrime.

Training should be for all employees from the CEO to the person at the reception desk – after all the receptionist is the first person encountered when entering the firm and your first line of defence against cybercrime.

People learn best when they can relate it something and fortunately cyber security lends itself to story telling and role playing. Pose as an IT technician and see how far you can get at hacking your own systems and data. Role playing and practical examples make security training fun and memorable.

Training through role playing also might help establish vulnerabilities. Social engineers expect to be questioned and will have prepared answers to questions so in training come up with uncommon questions rather than just asking who the person is, why they are there, and can they prove it.

Online and public presence

I went on holiday overseas and my wife posted on Facebook a picture of the kids and tagged me on the post. I wasn’t even in the photo and I was not that impressed – why – because anyone could find out that I was overseas by me being tagged. This is food for would-be hackers. It’s not just Facebook but all social media platforms and everything online can become information that a hacker could use in a social engineering ruse.

Also understand what information about you is available. Telephone directories, electoral role, court notices, birth notices and rates information are all publicly available and a source of information. Try Googling yourself – forget that it seems self-absorbed! – as it will start giving you a sense of what is online.

Go a step further and deep search using a web crawler program, or a data aggregator program – there are hundreds freely available. Data aggregator programs can be used as reverse profiling programs where you enter a piece of data such as mobile number and it will find the owner, photos, social media accounts, email authenticity, and family background.

You’d be surprised at how up-to-date the information is too. Even websites used for genealogy can be used to find information. Then, of course, there is the dark web.

The point being there is a ton of information about everyone online and forewarned is forearmed. Consider when choosing a password or other security information that the answers should not be publicly available.

Don’t choose a password that is the name of the family dog which is featured in every second Facebook post, or the name of the school you went to 30 years ago.. Keep tabs on what your family and friends post online. You might also be the most locked down person in the world, but your wife might not be – as the example above shows).

Website and social media platforms do, however, have guides about how to remove information from their platforms, however it is a bit like plugging a sieve – you plug one hole, and another will appear.

Physical data

I often hear, and usually from the older people in the community, that they avoid using computers, or even cloud-based systems for the fear of information theft. However, there are two pieces of information they fail to recognise in this argument.

Firstly, even if you’re not online physical data and information about you is easily obtainable – both legally and illegally. Electoral rolls are a legal way and stealing mail from a letterbox is an illegal way, and both very easy.

Physical data carried in a folder can be easily misplaced so is it more secure than a cloud-based storage system with a team of people charged with the data security and two-factor authentication?

The second piece of information is that data theft has occurred for centuries and the only real difference in the computer age is that the theft is a lot faster nowadays and therefore more occurrences can occur in the same space of time. Keep your physical data as safe as you can for example put a lock on your mailbox and use the safe for your valuables at a hotel.

This is the last article in my cybercrime series and I hope you are a little more aware of cybercrime, what it is, how it is perpetuated, and what you can do to keep yourself and your business safe.