Help to protect your company from cyber criminals using social engineering.
It doesn’t matter how big or small – all businesses need to look at their own staff and where the entrances could be for cyber-criminals using social engineering.
All of this may sound a little bit like James Bond but unfortunately, we don’t always know where the cyber-criminals are these days; they could be ‘sitting on your software’ or sitting on a sofa in the coffee shop across the road, trying to steal your company’s secrets or data.
The easiest way into a company these days is via a computer system, rather than the front door.
And it is people who are the most breakable aspect of any kind of computer network.
Social engineering is a process where hackers use psychology more than any kind of
software or code to gain access to your network through your staff.
Phishing, where you get a fake email or a hook, Vishing which is purely voice phishing and Smishing from an SMS text, are all part of what we call social engineering.
Social engineering is one of the areas that we can all fall foul of so easily because we are humans and as such, we like to trust people.
But it has always been said that a criminal only has to be lucky once, whereas we have to be on our guard 100 per cent of the time.
Social engineering will often start with a simple phonecall.
So the first point of entry into your company is likely to be the person who answers the phone and who is in charge of fielding the calls at the very first point of contact.
If you have a receptionist, do they know about Phishing, Vishing and Smishing?
Receptionists are key access points to companies a lot of the time.
Does your receptionist have good cyber-knowledge?
Do they know how people socially engineer?
Sales people are quite gregarious and tend to talk to anybody. Have you gone through cyber-security with them?
How do they protect themselves and their passwords on screens when they are with clients?
Do they know that they shouldn’t be seen typing their password into a keyboard?
If you are in an internet café, someone could be shoulder-surfing you as you type in your password.
Is that password generic to everyone in the company? All of these things need to be looked at.
Social engineering criminals do their research. They will most likely visit a website, route through your contacts and might even have the nerve to visit your company, so we all need to raise our level of skepticism.
Dating Sites – there is nothing wrong with them, but make sure staff are aware of the dangers of leaving those sites to continue conversations, and also be careful what information and pictures they exchange. Many criminals use these sites as a first contact point to gain access to someone’s heart, using fake profile pictures and details. They then go on to use the ‘trust’ they have built up to gain personal and business details that may be sold to others, or used to blackmail them. Often, criminals may take weeks and months building up the pretense to become a ‘trusted’ friend. They may look to gain some form of hold over the victim by exchanging nude pictures that can later be used to blackmail that employee.
The ABC of policing is: accept nothing, believe nothing challenge everything.
By challenging things, you will filter out these criminals; ask them questions, ask them to email you something from their company and to prove they are who they say they are.
Nowadays, we have to assume that people will be pretending to be someone else.
They could even meet you in the pub and gain information about you and your habits.
Do your staff know what information they are sharing on social media, and who can see it? What are their privacy settings and is there a company policy surrounding the use of social media?
Do they know how to lock their accounts down on Facebook and Instagram to make sure other people can’t see everything about them?
If I was a criminal wanting to break into a building, I would find out where the weak points are, just like someone trying to break into a building looking for the weakest point to break in.
What if the criminal places a USB stick in the car park, loaded with malware? How many of your employees would pick it up, load it into the works PC to see who it belonged to – or have a good nose around to see what was on it? By the time they realise there was malware on it, your network could already be infected. What is your company policy on USB sticks and external devices in general?
Who is disgruntled with the company and doesn’t like it who might have left but still has access privileges?
When someone leaves a company, how quickly do they become unable to get onto their account?
Do your employees know when a colleague leaves the company – so they know not to allow them access back onto the network?
Is it immediately? Is it two months? Does your company have people who left your company years ago, who could, if they wanted to, log back onto your systems?
If that is the case, you need to address it now!
Detective Constable Gareth Jordan has been a police officer for 13 years and prior to that, was employed in the IT and Pre-Press and Print sector.
Gareth is now based at Police HQ in Carmarthen and has been involved in investigating all forms of crime that have a cyber-element to them.
He has a wealth of knowledge regarding Cyber Security and continues to expand this (delete knowledge) by being involved in the day-to-day investigation of cyber-based crimes.
Gareth knows about the latest cyber scams and can explain how they are carried out – and more importantly – how you can avoid falling foul of them.