Jon Fielding, Managing Director EMEA, Apricorn
The line between personal life and work life was already hazybefore the pandemic arrived. It’s now well and truly blurred – particularly when it comes to the devices we use to communicate and get things done. The cyber-threats organisations face have crossed the line in turn, with phishing,for instance, now bread-and-butter for attackers looking to compromise employees in order to access corporate networks and systems.
It’s likely that other tactics traditionally used to target private individuals will follow, as criminals recognise them as potential vectors by which they can infiltrate enterprises, as well as exfiltrate the increasing volumes of data being stored on devices. Like phishing, these tactics are not particularly sophisticated; they simply leverage the IT processes we use every day, while taking advantage of human fallibility.
Take the thief who has been stealing London gym-goers’ phones and cards from their lockers, and changing access to their bank accounts, resulting in the loss of thousands of pounds. The perpetrator leverages the security passcode process by which banks enable users to access their accounts from a new device, combined with the fact that most of us probably haven’t blocked notifications from popping up when our phones are locked.
The thief registers the card on the bank’s app on their own device, following which the bank sends a one-off verification passcode to the stolen phone. This flashes up on the screen, allowing the thief to enter it and gain control of the victim’s accounts.
The SIM-swapping swindle
Another scam that could cross the work/life divide is SIM-swapping. The recent arrests of suspected members of SIM-swapping rings in Spain and the UK have highlighted the potential scale of these operations, and the disruption and loss that can ensue.
The scam involves criminals tricking users or their mobile network providers into switching their phone number to a SIM card which is in the criminal’s possession. This enables them to ‘take over’ the device, access any apps and accounts linked to it, and – crucially – receive calls and messages intended for the user, including texts relating to multi-factor authentication (MFA). They can then change passwords, intercept emails, and steal money and data.
While SIM-swapping is currently used to target individuals – in fact, reports by consumers to Action Fraud have risen 400% in five years – targeting employees’ devices could also provide a lucrative way of accessing corporate systems, networks and applications, as well as the data stored on them.
Organisations must keep up-to-date with the types of fraud and scams emerging in the consumer environment, and be aware of how these might manifest in the enterprise environment. They should then take proactive steps to protect themselves against the threats, as well as strengthening their resilience in the event that attackers find a way around theirdefences.
Secure the endpoint
Applying security controls to all devices – personal and corporate – that connect to the enterprise network will block unauthorised attempts to gain access, and allow employees to carry out their work safely. Solutions might include data loss prevention, detection and response, application control, privileged user access and network access control.
Encrypt the data
Implementing a company-wide policy that requires the end-to-end encryption of data, whether it’s at rest or in transit, will provide a straightforward way of managing risk to critical information in a complex working environment.
One third of all respondents to Apricorn’s latest survey of UK IT leaders said their organisations had introduced a policy to encrypt corporate information as standard in the last year, with almost half (47%) now requiring all data to be encrypted.
Encryption is specifically recommended by Article 32 of GDPR as a method to protect personal data. Being able to show that the measure was in place if a cyber-attack occurssupports governance, giving organisations the ability to demonstrate transparency and due diligence in the event of a successful breach.
Employees – and indeed contractors and suppliers – should receive ongoing training in how threats to the business are evolving, with real-world examples that bring the risk to life.They need to know what to watch out for, and receive a solid grounding in security hygiene measures such as when to change passwords, recognising dodgy links in emails, and not leaving their corporate credit cards and phone together.
Building awareness of the need to have a watchful and alert attitude outside of work is also crucial. We have a propensity to let our guard slip in certain contexts: one reason the gym locker thief was successful is that everyone in the changing room assumed the people around them were there legitimately.
Back up information online and offline
Mandating the offline storage of critical data is another way of keeping it out of reach of hackers.
In Apricorn’s survey of IT decision makers, 99% said their organisations have a data backup strategy in place – and more than 70% have had to recover information from their backups following an incident. However, more than a quarter (26%) have found themselves unable to fully restore all data or documents when they’ve needed to.
Companies should follow the ‘3-2-1 rule’: have at least three copies of data, on at least two different media, with at least one copy held offsite. To protect information stored on devices that could be targeted by cyber-criminals, employees should also make local backups of their data offline, ideally to a corporate-approved removable USB or hard drive that automatically encrypts the information written to it. This will also help the business to get up and running again quickly following a breach, by restoring from a clean, protected data set.
Criminals will continue to look for new ways to take advantage of ‘blips’ in people’s concentration, and holes in corporate security processes – and they will continue to find their way around the most stringent security controls. Every organisation must act now to build awareness of the ‘consumer’ scams that could be used to target their employees, and take steps to safeguard themselves and mitigate the impact of any such attack, on a data, device and user level.