“A company can spend hundreds of thousands of dollars on firewalls,
intrusion detection systems and encryption and other security technologies, but if an attacker can call one trusted person within the company, and that person complies, and if the attacker gets in,
then all that money spent on technology is essentially wasted.”
~ Kevin Mitnick

Before the birth of the Internet, security breaches involving social engineering were in full force via the telephone and fax machines.

One well-known ongoing scam has involved telephone con artists posing as company-approved vendors. They’ll call various departments in organizations until they reach someone willing to cooperate by providing equipment serial numbers, allegedly for repair or supply-ordering purposes. The scammers will obtain the name of the person who provided them with the information and then send invoices to the company for phony supply or equipment repair orders with fingers crossed that no one will check and simply pay them. Another scam involves obtaining those serial numbers and employee’s name again, shipping below-standard supplies “authorized” by the employee, and then sending an invoice, usually for a charge far above what the supplies are worth. These scams don’t work in every case, but they work often enough to keep them going.

Another pre-Internet scam has targeted employees through faxes sent to companies offering free or discounted travel in the hope attracting the curious. When an employee calls and is hooked by the sales pitch, he or she is then asked for payment up front via credit card (for processing fees in the case of the free trips). Often the employee loses the payment and also becomes a victim of identity theft.

The Internet Age has brought a new form of social engineering for the purpose of stealing information, called “phishing.” This approach uses emails and malicious websites to pose as trusted sources to trick users into opening a door for them to access confidential or personal data. This wolf-in-sheep’s-clothing method is accompanied by the more aggressive hacking into a company’s or individual’s system in order to steal information for money or power or both. This latter activity has provoked a cyber war among businesses and governments.

The Cyber War

Throughout its history, the U.S. has experienced traditional wars and the Cold War, and now we are in the midst of a worldwide Cyber War. Most recently there appears to be evidence that Russia has hacked certain of our government systems to influence the outcome of our Presidential election, although there are skeptics in both government and the media. However, Congress is strongly considering an investigation into the matter.

Criminal hacking is not new; the U.S. government has been hacked before and whatever comes of Russia’s alleged hacking of U.S. systems, there should be no doubt that ongoing attempts will be made on systems in government, business, industry and individual households. Think about all the organizations, companies and government agencies that have been hacked in recent years; here are a handful of the most highly publicized companies that have been victimized (although there have been many, many more not as widely reported including a number of healthcare companies): Ashley Madison, Cisco, eBay, Experian (T-Mobile), Home Depot, J.P. Morgan, Oracle, Sony, Target, the IRS, US DOJ, Weebly, Wendy’s and Yahoo! Even LinkedIn has been hacked. No one or no entity is entirely safe.

As citizens, we have been placed on high alert that the U.S. is engaged in serious cyber conflict. But individuals have long known about hacking and have taken steps to protect their own personal security. Employees can use such information and security techniques to protect their employers from criminal cyber attacks as well as social engineering schemes. This includes students, as well, because schools and college campuses are their workplaces.

As we are learning, the level of effectiveness of any cyber security system comes down to the actions of each individual.

What Can One Person Do?

Unless one has been living on Pluto for the past decade or so, the answer to “What can one person do,” to block cyber crime is clear. But in the wake of recent attacks, it’s worthwhile to repeat the areas in which employees can and should take steps to ensure as much as possible the cyber security of their employers:

• Computer Updates & Security – Consult, confer and cooperate with your employer’s technical team to ensure that the computers you use have the latest updates, security configurations and anti-virus software. This should apply not only to your office PC or Mac but also to your mobile devices, including laptops, tablets, cell phones, etc. Ensure that all your devices are protected by your company’s firewalls, security software, encryption, passwords, etc., as it is possible for mobile devices to be hacked as well as lost, stolen or misplaced. And if you work from home, either use a company device that is protected or arrange for your company’s tech team to secure your home device in order to protect company data.
• Passwords – Select strong passwords and change them periodically. Avoid easy-to-guess passwords, such as your birthday or that of someone close to you, your wedding anniversary, nicknames or names of family members or pets, or other obvious passwords that can be associated with you and easily hacked. And, very important, don’t use the same password for everything! Hackers are experts at cracking passwords; don’t make it any easier for them to crack yours. And, of course, don’t share your passwords; you may know that last year the U.S. Court of Appeals ruled that password sharing is a criminal offense. Check your company’s policy regarding this new law.
• Downloads – Many companies block certain websites, but they can’t block every dangerous site. Thus, do not be tempted to download from any old website that you are able to access, especially if it’s not popular and trusted. Malware, including a new menace, Ransomware, can be hidden anywhere, even in innocent-appearing images and videos. Great damage can be just a wrong click away.
• Red Flags – Some web browsers will warn users if a website they are trying to access is dangerous. Rather than depending 100% on company firewalls and anti-virus software, pay attention to such red flags.
• Business Vs. Personal Email – Keep them separate. During the recent Presidential election we learned how dicey it is to mix the two. With the possible exception of union-related emails, employers are allowed to read anything that is sent or received on their devices, and, conversely, using personal devices for business can put your employer’s data security at risk.
• Data Security and Records Retention – A company’s data includes client, customer and employee records, not just the recipe for its secret sauce. And depending on the industry in which you work, you might be required by law or company policy to retain certain electronic records; in other cases it’s best to keep minimal records electronically because the more you keep the more that are at risk. Again, it’s important to check your company’s policies on these issues. And be sure to back up your data to a safe place regularly.
• Emails & Texts – (1) The comments and information you put in emails have the potential to sink companies and careers. And the same is true of texts. We have become so accustomed to using these methods of communication that we blithely consider them merely delivery systems for casual — or sometimes not so casual — on-line conversations. But they are not conversations; they are publications similar to snail-mail letters or media postings or articles. Even seemingly innocent comments in emails can be used against an employee or employer, so to use a business email system to gossip or share confidential information can cause severe damage to both companies and individual careers. (2) In addition, employees can be victims of phishing via email or be sent an email with a viral link that when opened can infect the entire system or used as a means of entering the system to extract information. Use emails and texts routinely only to convey essential, appropriate and non-confidential information or instructions. Before opening unknown emails or links, notify your technology unit to find out if it’s safe.
• Know Who Is At Your Cyber Door – Before you provide information of any kind to anyone, know with whom you are dealing. Being taken in by someone other than a trusted source is a pitfall that anyone can encounter. Last year, a Snapchat staffer was deceived by someone who sent an email claiming to be the CEO and was able to obtain confidential payroll information about current and former employees. Similarly, an employee at Tidewater Community College in Norfolk, Virginia, was victimized by someone posing as a legitimate source and requesting private W-2 information for all employees, which the employee provided. And it might have been an employee at the San Francisco Municipal Transportation Agency who clicked on a link that allowed ransomware to shut down computer systems, resulting in a loss of revenue for the Agency and two days of free rides for passengers.

Be a Superhero!

Professional ethics require that employees follow their employers’ policies, procedures and best practices to block systems from being compromised as well as to protect information from being breached via social engineering. In another, simpler, time it was an employee’s ability to contribute to the bottom line that employers prized most. In our more complicated modern world, just as much as (and sometimes more than) technical skills employers value an awareness of the problems involving hacking, social engineering and phishing as well as a deep sense of honor, trustworthiness and sound judgment.

Smart employers know that even with state-of-the-art technology, employees can be a company’s strongest asset in blocking cyber security breaches. Unfortunately, employees can also be the weakest security links. To be a superhero employee, you need to be squarely and firmly in the former category.

Until next time,

Jeanne