Did I Just Socially Engineer My Own Identity Theft?
Social engineering is the use of deception to get people to divulge confidential information. On an individual scale, it can be something as simple as disclosing the personal identification number for your bank card, enabling someone to illegally access your funds. On a corporate scale, it can entail the leaking of thousands of people’s confidential information including user names, passwords, identity numbers, etc.
BUI MD Ryan Roseveare says: “Although this type of social engineering can affect the general public and put them at risk of inadvertently exposing confidential information, the biggest threat is to corporates who hold massive amounts of personal data about their customers and their staff. All too often data loss in the corporate environment is simply the result of negligent behaviour by uneducated users who do something as basic as clicking on a malware-infected e-mail.”
According to Roseveare, a big threat to business is where private negligence can cause corporate issues, meaning when people use private devices on their own Internet and for private use. “They don’t even access company resources remotely but then they access applications, or they want to register for the likes of Facebook, and they use their company details (such as their e-mail address) and all too often they also use their work password to register. Hackers then get into the databases for sites such as Facebook, LinkedIn or even Ashley Madison, obtain those credentials and use them for external attacks.”
There have been several well publicised incidents of cyber crime recently, underscoring the need for businesses of all sizes to be vigilant about online security.
How did it happen?
Well, there are several ways in which people can be persuaded into sharing information that they wouldn’t ordinarily disclose. We all know not to click on links in e-mails or to open attachments from unknown sources, but what about that phone call from the bank or your cellular provider asking you to confirm your personal details?
However, not all identity thefts are that simple. In September this year, a US credit reference agency reported a hack that affected the data including credit card details of up to 143 million people. The implications of such a large-scale attack are widespread, including the damage caused to that company’s brand and reputation. It’s believed that the hack took place through a third party company that did business with the credit reference agency.
The right thing to do
What do you do if your customers’ personal data is exposed? Well, the most important thing is to establish exactly what confidential information was stolen. Then you need to let the affected people know immediately, says Roseveare, so that they can notify their financial institutions if their banking information has been breached.
Prevention is better than cure
Naturally, prevention is the preferred route, and there are several measures that businesses can take to identify potential breaches before they can happen. However, says Roseveare, much as in other remedial programmes, the first step is admitting that you may have a problem or, in this case that your system is indeed vulnerable to attack.
It’s important to note that the increasingly mobile workforce and the associated trend towards BYOD (bring your own device) make the job of safeguarding your company’s data that much more difficult. Roseveare breaks it down into three areas: “You need to protect the device, you need to protect the data, and you need to protect the access.
Measures that you could and should implement include multi-factor authentication instead of just a single password when accessing certain types of data, says Roseveare. So a combination of fingerprint, PIN, strong password, even iris scanning or facial recognition can be used to ensure that only authorised users can access certain applications and information.
While firewalls and anti-virus software certainly play integral roles in data security, these are powerless against the hapless individual who opens an e-mail that appears to come from a trusted source.
It may seem obvious, but educating your workforce and other users around the risks inherent in clicking on a link or attachment in an e-mail from someone that they don’t know, is one of the most basic things that you can do to protect your personal data.
Roseveare concludes by saying: “If the information above has sparked a fear that your business could well be vulnerable to attack, then we’ve achieved what we set out to do. A little healthy fear can save your business and your identity from malicious attacks of this nature.”