We can expect to see a shift from hacking networks to a focus on hacking people. The tactics used to hack people are not highly sophisticated and can encompass relatively stealth threat vectors, making them hard to trace. It seems simple, but it's important not to overlook the low-tech threats in our high-tech world.
Here are three threats that all IT professions should be aware of and take necessary steps to mitigate:
Visual hacking, a low-tech method used to visually capture sensitive, confidential and private information for unauthorized use, is an under-addressed corporate risk. After all, a hacker often only needs one piece of valuable information to unlock a large-scale data breach.
Take this scenario: A malicious third party enters an office space under the guise of being with a vendor or as a building worker. The individual is given a building pass and essentially has free roam of the office. It is all too easy for this person to snap a photo of an employee's device screen as it is displaying access and login information credentials. The malicious party has visually hacked the company and now has the ability to penetrate deep into the organization's networks and launch a cyber attack.
Addressing this concern: Taking steps to shift workplace culture to value visual privacy is necessary to combatting this emerging corporate risk. Policies and procedures should address visual hacking on devices and physical documents. Employee awareness and communication programs combined with ongoing education about visual hacking and other low-tech threats can also help.
Equip employees with tools such as privacy filters and the 3M ePrivacy Filter for visual privacy from virtually every angle as a part of a larger visual privacy toolkit.
Data loss as a result of employee behavior should be a major concern for IT professionals today. More and more examples of this pop up on a seemingly daily basis. One of the most recent incidents occurred at Sony Pictures, where hackers under the guise of GOP (Guardians of Peace) claim to have utilized insiders to gain access to the company, compromised records and threatened to hold company data ransom unless demands were met.
Careless employees, particularly those that have access to company networks through BYOD or company-issued devices, can easily compromise company data or intellectual property and may be leaking data without even knowing it. A second category, disgruntled employees, can also pose a serious threat to proprietary company information. These employees may be lured by the potential of financial gain or have a spiteful agenda. As the hackers in the Sony Pictures incident claim, employees with similar interests to the hackers may also be persuaded to join their cause and assist with attacks from the inside.
Addressing this Concern: In the case of the careless employee, lack of awareness and lack of diligence play large factors in data loss. IT professionals can help mitigate the risks by ensuring that corporate policies and procedures that include language on professional conduct with company data and increase efforts to communicate these to employees. Taking an extra step to ensure that devices have remote wipe capabilities in the event that a phone or laptop falls into malicious hands. In the case of disgruntled employees, monitor for suspicious behaviors, particularly following a bad review or probationary period.
Rather than using high-tech hacking techniques, social engineering attacks happen when a malicious party gains access to company systems or data by exploiting human psychology. A social engineer may strike by calling employees posing as a trusted vendor or member of the IT team that needs confidential information, like passwords and email addresses, to rectify an issue with the server. Or they may try to gain access to company networks through "spear phishing," sending through an email pretending to be a friend inviting the employee to click on a link.
Once the malicious party strikes, it's not hard to penetrate deep into a company's networks and databases. Today's social engineers are extremely savvy, often studying companies prior to launching an attack, becoming familiar with their activities and lingo while projecting confidence and using reason to disarm social engineering victims.
Addressing this concern: Raising awareness is of the utmost importance when combatting social engineering. Creating a communication campaign that highlights real-world examples can help employees recognize that social engineering attacks are real and can take various forms. Employees should also be encouraged to report suspicious behavior to IT managers.
The threat landscape is ever evolving and as firewalls, anti-malware and other high-tech defenses make company databases harder and harder to penetrate from the outside, hackers will look to hack human assets to gain access to confidential information. IT professionals and leadership need to take steps now to put defenses in place along with company policies to safeguard against these low-tech threats.
Larry Ponemon is chairman and founder of the Ponemon Institute, a research "think tank" dedicated to advancing privacy and data protection practices, and chairman of the Visual Privacy Advisory Council, a panel of privacy and security experts dedicated to raising awareness for the issue of visual hacking.