While it's true that attackers are developing more complex viruses and malware all the time, increasingly and often forgotten, the biggest security threat to businesses does not actually come from software, but from human beings themselves.
Companies can build the most secure infrastructure in the world to protect their data from external threats, with solutions such as firewalls, VPNs and secure gateways, but that doesn't mitigate the risk of threats, malicious or otherwise, from within the organisation itself. This low-tech way of hacking has become increasingly popular in recent years, with well-known brands falling victim to fraudsters contacting junior finance administrators requesting funds after doing a little LinkedIn investigating.
Additionally, with the internet forming so much of most people's daily routine, and many employees logging into personal accounts at the workplace, it's important to remember that there is also a crossover between personal details and your business information when it comes to online safety. If a hacker obtains your personal details, they can access your professional ones too.
Here, then, are four ways that hackers can bypass your security and steal your data.
01. Social engineering
The genesis of any human-led cyber security threat is social engineering; the act of manipulating confidential data from an individual. Sure, hackers could infect a network with malware and go in through the back door, or better still, they could just trick an employee into giving out a password and stroll right in through the front without raising any alarm bells. Once a hacker has an individual's password, there is little you can do to stop them, since their activity will appear to be authorised.
Social engineering techniques have had to become more sophisticated over the years as the average user has become savvier to the traditional methods hackers use. So hackers are now having to be smarter in the ways that they obtain data. In a business sense, something as simple as tricking a user into clicking a malicious link can give the attacker access to the entire network. People know to ignore emails from pleading strangers who are in desperate need of bank details, but when that email comes from someone you know, you are much less likely to click 'Mark as spam'.
Hackers can easily scroll through a potential target's Facebook account to find the name of a friend of the victim. Then they can send the victim an email pretending to be that friend, and the victim will be more likely to fall for it if they think it's come from someone they know.
TIP: On the topic of social media, be careful with the personal details that you give out. What may seem like a harmless game where 'Your rap name is the name of your first pet plus your mother's maiden name', could actually be a phishing scam used to find out the answers to common account recovery questions.
02. The low-tech internal threat
Instead of a faceless enemy, most internal cyber security threats actually come from current or ex-employees. These employees can gain unauthorised access to confidential data, or infect the network with something malicious. These internal threats can take many forms:
- Shoulder surfing
'Shoulder surfing' is the simple act of one person observing someone typing their password. There is precedent of this happening. A disgruntled or soon-to-be-leaving employee could casually stand behind a desk and observe other employees typing their passwords. This simple act might lead to unauthorised access, which could be disastrous to a business. - Passwords on Post-it notes
Even easier than memorising a password observed over a shoulder, internal threats can come from employees writing down passwords and sticking them to their computer monitors – yes, that actually happens. Obviously this makes it incredibly easy for someone to obtain login details that could then be used to defraud or infect a company. The good news is that this carelessness is easy to rectify. - Thumb drives inserted into computers
Employee machines can be infected with keylogging software loaded onto a simple USB drive. An attacker would just have to sneak the USB drive into the back of a computer, and they'd have access to the personal details and passwords of the user.
TIP: To avoid these internal threats, businesses should educate their employees with security courses and communications on the importance of being vigilant with their passwords. Password manager software like KeePass or Dashlane can securely store passwords, so you don't have to remember all of them. Alternatively, you can also lock down the USB ports of your workstations to prevent unauthorised devices from being accessed via USB altogether. This approach does need to be considered carefully however, because it makes every workstation much less flexible and increases the workload for the IT department, since every new USB device will require approval before it can be used.
03. Baiting
Similar to social engineering, baiting methods trick users using information obtained about the person. For example, a hacker could check social media sites and learn that the target has an interest in Game of Thrones. That knowledge gives the attacker some bait. Instead of a generic email, the attacker could send the target an email that says 'Click here to watch the latest Game of Thrones episode'. The user is more likely to click the button which, of course, is actually a malware link, and not the most recent episode of Game of Thrones.
Similarly, with so much information listed publicly on LinkedIn, it can also be easy for attackers to research a reporting structure, target a junior pretending to be the CEO and request a transfer of funds to a particular account. As farfetched as that may seem, there are well known incidents of this taking place. Eavesdropping is a similar method, with attackers listening to business conversations in coffee shops, on public transport and even as a supplier in an office environment.
04. Unsubscribe buttons
Another way attackers are tricking users into downloading malware from emails is through unsubscribe buttons. By law, every marketing email must contain an unsubscribe link so that consumers can opt out of receiving communications. An attacker could send repeated emails to a user that look like special marketing offers from a clothing company (or similar). The emails looks harmless enough, but if the user is not interested in the company, or thinks the emails are too frequent, they can press the unsubscribe button to stop receiving emails. Except in this hacker's phishing email, clicking the unsubscribe button actually downloads the malware.
TIP: A properly configured anti-spam filter should stop these emails, but again, it's best to stay alert.
The key take-away is to stay vigilant and up-to-date on the array of methods that hackers may use to steal your data. Educate your employees so they are aware of the techniques listed in this article that may be used to acquire content, such as their login details or personal data. Encourage employees to question anyone they don't recognise, and to be aware of anyone listening to conversations or shoulder surfing.
Taking all this aside however, it is worth remembering that the internet remains an overwhelmingly positive and creative place to be, and the world is significantly richer for it. Providing you're vigilant, we can all continue to enjoy its benefits.
This article was originally published in issue 303 of net, the world's best-selling magazine for web designers and developers. Buy issue 303 or subscribe here.
Get your ticket for Generate New York now
The industry's best web design event Generate New York is back. Taking place between 25-27 April 2018, headline speakers include SuperFriendly’s Dan Mall, web animation consultant Val Head, full-stack JavaScript developer Wes Bos and more.
There’s also a full day of workshops and valuable networking opportunities – don’t miss it. Get your Generate ticket now.
Related articles:
