Attackers are developing bigger, scarier, and more complex viruses, but increasingly, the biggest part of cyber security that businesses should be wary of is the human aspect. Companies can build secure infrastructure protected from external threats with firewalls and private networks, but that doesn’t mitigate the risk of threats, malicious or unintentional, from inside the organisation.
Advances in social engineering
Social engineering is the act of manipulating confidential data from an individual. Hackers could infect a network with malware and go in through the back door, or they could trick an employee into giving out a password and stroll right in through the front.
As the average user becomes savvier to traditional methods of social engineering, hackers are having to be smarter in the ways that they try to obtain data. In a business sense, something as simple as tricking a user into clicking a malicious link can give the attacker access to the entire network. People know to ignore emails from pleading strangers who are in desperate need of bank details, but when that email comes from someone you know, you might think twice before clicking ‘Mark as spam’.
Hackers can easily scroll through a potential target’s Facebook account to find the name of a friend of the victim. Then they can send the victim an email pretending to be that friend, and the victim will be more likely to fall for it if they think it’s come from someone they know.
TIP: On the topic of social media, be careful with the personal details that you give out. What may seem like a harmless game where “Your rap name is the name of your first pet plus your mother’s maiden name” could actually be a phishing scam used to find out the answers to common account recovery questions.
Often cyber security threats can come internally from current or ex-employees. These employees can gain unauthorised access to confidential data, or infect the network with something malicious.
‘Shoulder surfing’ is the simple act of one person observing someone typing their password. There is precedent of this happening. A disgruntled or soon-to-be-leaving employee could stand behind a desk and watch other employees typing their passwords. This unauthorised access could be disastrous to a business.
Passwords on post its
Even easier than memorising a password observed over a shoulder, internal threats can come from employees writing down passwords and sticking them to their computer monitors – yes, that happens. Obviously, this makes it very easy to obtain login details that could then be used to defraud or infect a company.
Thumb drives inserted into computers
Employee machines can be affected with keylogging software loaded onto a simple USB drive. An attacker would just have to sneak the USB drive into the back of a computer, and they’d have access to the personal details and passwords of the user.
TIP: To avoid these internal threats, businesses should educate their employees with security courses and communications on the importance of being vigilant with their passwords. Password manager software like KeePass or Dashlane can securely store passwords, so you don’t have to remember all of them.
Similar to social engineering, baiting methods trick users using information obtained about the person. For example, a hacker could check social media sites and learn that the target has an interest in Game of Thrones. That knowledge gives the attacker some bait. Instead of a generic email, the attacker could send the target an email that says “Click here to watch the latest Game of Thrones episode”. The user is more likely to click the button which, of course, is actually a malware link, and not the most recent episode of Game of Thrones.
Another way attackers are tricking users into downloading malware from emails is through unsubscribe buttons. By law, every marketing email must contain an unsubscribe link so that consumers can opt out of receiving communications.
An attacker could send repeated emails to a user that look like special marketing offers from a clothing company (or similar). The emails looks harmless enough, but if the user is not interested in the company, or thinks the email are too frequent, they can press the unsubscribe button to stop receiving emails. Except in this hacker’s phishing email, clicking the unsubscribe button actually downloads the malware.
TIP: A properly configured anti-spam filter on your email inbox should stop these emails from getting through, but again, it’s best to stay vigilant.