What is the Value of a Holistic Cyber Security Perspective
Most cyber security products and training focus almost entirely on phishing attacks. Since 95% of successful attacks start as a phishing email, this makes perfect sense. But are phishing attacks really the only cyber threat that we should be worried about?
There are several other ways that a hacker can get what they want. In this post, we’ll talk about other potential ways that attackers target you, most of which don’t even need a computer.
Mobile Cyber Security
Poor mobile security habits can come in many forms. The increasing functionality of mobile devices makes taking work out of the office ever easier, and the trend toward Bring Your Own Devices (BYOD) policies continues to blur the lines between work life and home life.
From an efficiency perspective, this isn’t such a bad thing. (Hey look! Unpaid labour as you check your email in the morning over breakfast to “keep up”?). In addition, working from a familiar mobile device means no need to spend time and brain space figuring out how to use a new device.
However, from a security perspective, a poor BYOD policy can be an organizational nightmare. It’s not uncommon for people to download apps without really thinking about the potential security concerns. Have you ever downloaded a flashlight app to your phone?
Ever think about the permissions that it asked for and why it needs access to your text messages and the Internet? Things have been improving lately, but in the past, flashlight apps were notorious for being Trojans that installed malware on your smartphone.
Discarding phones used for work is another huge hole in many organizations’ cybersecurity. Do you perform a memory wipe of any device that previously held sensitive company data before throwing it away? Or do you rely on the fact that the phone is protected with a PIN number?
Did you know that devices that can guess a phone’s 4-digit PIN number in less 17 hours are available for sale for less than 250 Euros? Any reasonably motivated hacker could snag a discarded (or lost) company phone and have complete access to sensitive company information stored on it and any logged-in accounts within a day.
Most organizations are aware of the need for physical security, but most of them don’t go far enough. While important, a clear delineation between the “public” and “private” areas in your building just isn’t enough to deter an attacker.
In order to protect your people and your property, you need to think outside the box about potential holes in your security setup.
How many of the people in your organization are nice and helpful? We hope it’s quite a few! If one of them saw a mailman struggling with a load of packages or someone carrying a large box, what are the odds that they’d hold the door for them?
Do you think that they’ll be thinking about the fact that everyone coming through the door is supposed to swipe their ID card? While impersonating a member of a federal mail service is illegal, there is no law against dressing like you work for UPS, FedEx, etc.
Even if there were, a suit, a cup of coffee, and an important-sounding phone call gives an air of authority and an excuse not to do anything but give a nod of thanks while walking through the open door.
Dumpster diving is a low-tech, low-cost method of collecting sensitive data about an organization. Anything from an old company org chart to photos of the last company picnic can give an attacker information to use in a phishing or other attack.
Dumpster diving also happens to be a surprisingly low-risk method of gathering information. Are your organization’s dumpsters located on private property all of the time or are they located on or moved to public property for collection?
According to UK and US law, dumpster diving is completely legal as long as the dumpster diver is not trespassing in the process. If your trash (and valuable company information) is located on public property, it’s fair game for an attacker.
Think that you have good security habits when working remotely? Have you ever taken a work call in a cafe, airport, etc.? If so, did you greet the caller by name? Maybe name your organization or talk about topics that would let someone guess where you work? If so, you’ve given anyone in earshot enough information to attack your organization.
Just consider what an attacker could learn by dropping a few names and facts gathered from eavesdropping on your conversation and doing a bit of open-source reconnaissance.
Other risks are also present when working remotely. Using public WiFi carries risks ranging from attackers eavesdropping on and datamining your web traffic for useful nuggets to malicious networks where attackers take advantage of proximity to attack your computer.
Working in public also carries the risk of shoulder surfing, where someone watches you type in a password or looks over your shoulder at sensitive company information. You can learn a lot about a person just by listening and keeping your eyes open when hanging out in a public place.
Social Engineering & Cyber Security
Social engineering is a big topic in cybersecurity. Even ignoring phishing attacks (which are bad enough on their own), social engineers can bypass your personal and company security measures in a variety of ways.
Social engineers take advantage of human psychology, habits, and instinctive behaviours to manipulate people into doing what they want.
Say someone walks up to your company’s front desk holding a USB drive that they claimed that they found lying in your company parking lot. Maybe it even has a label on it saying “If lost, return to Your Company at Your Company Address”.
What will most people do when faced with this situation? Probably thank the helpful person and then plug it into a computer to see if there is any clue on it as to whom the drive belongs. And if the USB drive has malware set up to run when the USB is plugged into a computer? Oops.
Many organizations think about the quality of their supply chain. If you put a defective widget into your product and it breaks, your customers don’t blame the widget maker; they blame you.
For the sake of your bottom line, you need to make sure that every component that goes into your product meets minimum quality standards to avoid reputational or legal repercussions.
But have you considered the security side of your supply chain? If the software that your organisation develops includes code that is vulnerable to malware, then your code is probably vulnerable too.
Have you heard of the Equifax breach? The loss of millions of people’s sensitive data was caused by Equifax using software with a vulnerability that they failed to patch. But no one seems to be mad at Apache for writing vulnerable code in the first place, they blame Equifax for not taking the appropriate steps to fix code that they inherited from their suppliers.
Protecting Yourself and Your Organization
The common thread between all of the scenarios described in this post is that they are fixable with a well-developed cybersecurity strategy.
Some, like the potential for malicious apps on BYOD devices, have technological solutions. Others involve developing procedures for securely managing certain situations or deploying a cybersecurity education program that prepares your organization for all of the threats that it’s likely to face rather than the most common or those in vogue at the moment.
By taking the time to carefully consider the risks and develop plans to address them, you can protect your organisation and your employees both professionally and personally. Developing a security-aware culture and thinking about risks from the human perspective, how you can empower your teams to be a strong line of defence, is a key step for all sized organisations.
Why not join us for Cyber Security Month this October?
Does your company need cyber awareness videos, resources, posters & more to get your co-workers laughing & learning?