Your everyday company data breach on the go
“The thing with sensitive information is that often people do not fully realize how sensitive it can be”
“So, how’s your week been so far?” “Oh you know, the usual. Actualy, did you know that I just heard that the are going to sack 100 people over in Paris? I mean, keep this for you, but I got it from Eric over at HR”
This is just one out of many corporate secrets I have had the opportunity of eavesdropping into. Despite having an OSCP certificate that would otherwise allow me to actively hunt for sensitive data, this one was just effortless. I didn’t even ask for the info. It just came to my ears. Just rest assured, I’m not going to do anything with this info.
At the same time, you really should start worrying. All around me are people that overheard the same conversations. You see, they didn’t take place around the coffee corner or the lunch table. It was on the train to work. Just like that, some of your company internals were out there for anyone to catch. And that is an issue. In today’s world, early word about large dismissals could easily escalate to a PR issue and damage to stock share prices. But it doesn’t stop with HR data. This is top 5 some of the worst commute breaches I’ve personally overheard on a crowded train:
- Juicy info about a sales deal worth 250k EUR
- Details about vulnerabilities in a corporate mail server
- A tip about how to bypass a corporate firewall to “download stuff”
- Salary info (alongside with first name and function)
- Horrific insights in how certain support tickets are simply ignored
In each of those cases, it was relatively easy to find out which company the people worked for, either because the company name was mentioned in the conversation or because of another detail (such as a branded umbrella or backpack, etc…). However, even without those, anyone with bad intentions could easily find a way to link the data to a company. It’s what fraudsters do on a daily basis.
I can realize that some of you might be turning rather pale by reading this. (If you don’t, I might suggest to get in touch to discuss what kind of havoc this kind of disclosures may wreak.) Some of you might consider issuing a new policy that strictly prohibits talking about the company in public. But that’s not the solution. Those people aren’t even the issue. They didn’t mean any harm. They might not even have the slightest clue of the importance of their findings. You see, the thing with sensitive information is that often people do not realize how sensitive it can be.
Like most things cybersecurity, most of the problems can be avoided by creating awareness. Employees have to learn to identify information that may cause harm in the wrong hands. Surely, they will have had a training or two about it already, but make it tangible. Show them how fraudsters can abuse this data to manipulate people. Inform them about the risks of feeding cybercriminals with seemingly trivial details and how it helps them infiltrate even the most complex security systems. Prove them that it actually does happen and give them an idea what the consequences are.
The human element after all isn’t the weakest link in IT security. It’s mostly ignorance and the only way to combat ignorance is with proper training and knowledge.
