By Michael Geis, Vice President of Information Services, CISM, CISSP, myMatrixx
We are starting to see a shift in the cyber security world in the way that organizations are being targeted. Gone are the days of the “hacker” in some dark basement somewhere trying different tactics to gain control of corporate firewalls and databases. Well, to be fair, these days aren’t long gone as those types of attacks are still out there. But the bad guys are adapting faster than the good guys can keep up. While organizations race to make sure they are staying HIPAA/PCI/SOX/ISO compliant the bad guys have figured out we are still working off a playbook that has been around for 10+ years. Why “hack” when you can target specific individuals with access to the resources you want and just ask them for it? The latest battleground is individually targeted attacks or “spear-phishing” and there isn’t much that being HIPAA compliant is going to do to protect you when the bad guys set their sights on your employees.
It seems that all of the latest high-profile breaches started with internal employees clicking a poisoned link in an email or inadvertently disclosing confidential information to attackers. With this in mind we recently did an organization wide IT security awareness training class for all myMatrixx employees. The training was targeted at three primary topics
- Understanding this new threat landscape: who is doing it and why
- How does it work: step by step examples of how an individual is targeted and exploited
- Awareness of personal digital footprints
After the training, the recurring theme in the feedback we got from our employees was: fear and concern. To be honest most employees in the American workforce haven’t heard this message before. The idea that a specific employee might be directly targeted and the bad guys are armed with an incredible amount of personal data (freely provided by that digital footprint) about that employee is at least slightly disconcerting the first time you hear about it.
We completed the presentation with tips on how to protect yourself from this new type of attack. Here are some examples:
- Know your personal digital footprint: Facebook, Twitter, Linked in, state and local governmental databases, press releases, Instagram, Spokeo, old online resumes, etc.
- Understand the persuasion levers of using authority, nostalgia, verifiable facts, or appeal to emotions in trying to extract information that you normally wouldn’t share with a stranger
- If you get an email request that is suspect…pick up the phone and call the person asking for the information and verify its legitimacy
- Don’t use the same password across multiple sites on the internet!
- Wait until you get back from vacation to put those pictures on Facebook
- Be aware that EVERYONE is a potential target (IT folks make fantastic targets!)
These types of attacks will continue to grow in frequency and sophistication. Why? Because they work! The strongest defense for this type of attack for the foreseeable future is turning your employees into human firewalls to protect your organizations critical data. This can only be done with training and awareness and you probably aren’t delivering it if you haven’t updated your security awareness curriculum in the past 12 months.