Recap: In our last two blog installments, Corey Bolger discussed the importance of personal cyber security for your staff when building a solid cyber security strategy for your business, and Jenna Waters addressed the privacy practices, legal implications, and security concerns surrounding the social media giant, Facebook. This week, we are going to bring that to bear, looking into how personal privacy and information security can affect your organization. What information is out there? If it’s primarily personal data, what does that have to do with my business?
What Personal Information is “Out There”?
The facts are that we live in an age of technological leaps and an alarming level of reliance on immediate access to information. In fact, we can perform nearly any task with the simple click of a button. Just enter your full name, SSN, DOB, place of birth, religious affiliation, mother’s maiden name, first pet, father’s middle name, first school, favorite school teacher, bank account number, routing number, credit card number, 4 digit recovery pin, 15 character password with uppercase, lowercase, number, and special character, and the soul of your firstborn child. OK, I’m exaggerating, but think about it. Really think. If you combine all the small bits of personal data you have shared at some point, that’s enough to build a complete picture of who you are, where you live, what you buy, and so on– and it’s all out there, somewhere. Now, it’s time to ask the really scary questions. Do these individual entities, each with a little bit of you, speak to one another? Do they share information? If so, what does that have to do with the security of your business?
The short answer is yes. Our penetration testers at TRUE can tell you exactly where to find all of those snippets, mostly in publicly available places, and sometimes even aggregated by identity. They are often able to use open source tools or data dumps from historical hacks, such as the infamous breaches at Yahoo, LinkedIn, Facebook, and others, to find old passwords. What are the chances that just one person in your organization is reusing one of those old passwords? In fact, the tools are out there, even commercially, to enable the scanning of massive amounts of structured or unstructured data, identifying every single instance of personal data having to do with a single individual, then organizing all of that data so it is combined and searchable by person. In the hands of a security professional, this can amount to applying minimal use policies organization-wide, eliminating superfluous instances of someone’s personal information, and ensuring that all sensitive personal information is secured. In the hands of a threat actor, however, this means thieves can aggregate all data around an individual, so a phishing or spear phishing attack can be leveraged in the most effective way possible.
Now you may be asking yourself something along the lines of, “That is great information but what does that have to do with my business?” Scenario 1: the person in charge of your accounts payable is targeted, specifically, in a phishing attack, and thieves use his or her email account to wire money directly from your organization’s bank accounts to theirs. Yes, this happens, and yes, we see it in the field quite often. Scenario 2: One of your engineers is compromised through a compromised credentials attack that enables a competitor to lift your company’s trade secrets. The potential damage here is immense, to say the least.
Again, I’ll point back to the strong points made by my colleague, Corey Bolger, who discussed the power of personal security in your company’s Security Awareness Training. It is fairly obvious that human beings pay better attention to things that interest them or affect them personally. That is why phishing tactics work so well. It is also why internal phishing campaigns are generally more effective training tools than direct security awareness training, though both are certainly necessary. In short, the idea is that if your employees are more personally secure, your business will be more secure.
This brings to question, “How do we reach our users?” I believe, as Corey Bolger argues, that the answer is to make the information personally relevant. If you teach your employees how to secure their personal accounts, they will absorb those lessons more fully. As they begin to increase focus on their personal security/privacy, that their security focus will increase at work automatically. As an additional benefit, employees may actually feel a stronger connection to their employer if the employer is taking a vested interest in their personal lives.