A hacker is just one staffer away
Attackers and companies happen to have a common instrument for achieving their goals. There is a link which makes a violator in with no fuss — an employee, and more than often it is not an IT staff member.
95% of cybersecurity breaches have been attributed to the human factor.
Aiding hackers
David Kent built a social networking site for oil company professionals called Rigzone.com. In 2010 Kent sold it to DHI Group for $51 million and signed a non-compete agreement which was part of this sale.
After the agreement expired he started a similar site Oilpro.com, hoping to create another potential acquisition for DHI. He built the membership of Oilpro up to 500,000 users and DHI got interested in purchasing it for $20 million.
But Kent was also a hacker — he broke into the site he had already sold, and stole over 700,000 customer accounts. His old colleague now employed there assisted him with accessing the data. A customer of Rigzone complained that it had received SPAM from Oilpro without ever giving that company any information. Rigzone alerted, set up a few fake accounts and received SPAM from Oilpro as well. FBI helped to investigate the case and Kent got three years in prison.
Unwitting act
The notorious Target incident remains one of the biggest exposures. The attackers compromised personal data of 70 million people. Hackers installed memory scrapers on Target’s point of sale devices, accessed the company’s assets to get inside information. They broke the system of one of the Target’s contractors — Fazio Mechanical. One of Fazio’s employees fell for a phishing scheme that installed the Citadel malware which captured the account details as someone would log into the Target network.
Phishing is only one of many ways staff members can be approached by external offenders. Social engineering comprises lots of tactics to get employees to talk. Pretexting allows violators to confirm the identity of the person they are communicating with, and baiting makes someone unaware of malicious purpose take an infected USB drive left within a corporate network and use it on a company’s devices. The confidential data can be compromised by mere tailgating or such a thing as calling or writing to a company’s employees pretending that they need to be informed about an issue.
Psychological manipulation is among the most favourite techniques applied by cyber attackers. Information gets gathered, fraud — committed and systems — accessed as soon as an employee is persuaded or motivated to take some measures or to recklessly reveal sensitive information.
Social Media
Social media stands out in a mass of traps where attackers are hunting for easy prey. Hackers hide their cobweb within unremarkable social media posts — at the Pentagon, for example, an employee followed a link on Twitter advertising a family trip offer. Just one click and the hackers got the access to the Pentagon’s assets. New York Times emphasised the frequent occurrence of breaches on social media due to people thinking their accounts are surrounded by friends only.
Possessing your log-in or personal data hackers can address you as a trusted organisation which knows exactly what to offer or to ask you about. Oversharing in a profile or in a correspondence feeds attackers giving them the details users would never think can compromise their businesses or companies they work for. Some specialists can be even meticulously selected as they represent a №1 target at some specific company. Authentication information, email addresses as well as a message text a hacker will send to an employee to procure the desirable data can be snatched from social media.
Profile information helps attackers personalise scams.
To avoid insider risks the technologies many companies are used to are not enough. Businesses have to resort to people analytics and statistical analysis. None of the abovementioned cases could have been detected without these means of control.
People analytics
You can receive unbiased staff assessment, provide yourself with recommendations which employee to give an access to the data or which tasks to allocate in order to mitigate risks, measure workplace environment health and discover employee moods by collecting staff correspondence with the help of profiling instruments.
Get detailed characteristics and relevant qualities of each employee
Profiling techniques include identification and determination of:
- Thinking patterns
- Personality traits and emotions
- Loyalty and reliability level
- Propensities and criminal tendencies
Statistics
Detect unusual communication and identify abnormal activity — for example, usage of command-line tools and editing binary files whereas these activities are not included into an employee’s job related tasks.
User behavior management and detection of atypical usage of technology
Capture abnormal connections via network, excessive amount of transferred or uploaded information, etc.
Technical measures
Protection from unsolicited correspondence and oversharing is possible and is necessary:
a comprehensive monitoring system can be integrated to provide you with full visibility into communication channels
access control issue should be tackled carefully — access to corporate social media as well as any other sensitive details should be given to a limited number of employees
make sure your policies conform to the current risk level
implement behavioral risk management program
Preventive measures will help businesses minimise the risks regarding both malicious and accidental data breaches as well as social media overexposure.
