No one will argue that cybercriminals are not smart. But, usually when we picture a cybercriminal we think of someone hiding in a basement furiously punching code into a laptop that will penetrate the security system at a financial institution or other place of business.
We don’t think of cybercriminals as looking like one of us hiding in plain sight, even within the four walls of our organizations, willing to take advantage of our good nature to cause real and lasting harm.
That’s the word from Lior Satori Yotam, a Senior Security Consultant with HolistiCyber, Genesis10’s strategic partner for providing cybersecurity services to our clients. Lior was the guest speaker at the monthly meeting of SIM Austin held recently to recognize Cyber Awareness Month. About 30 IT leaders and others attended the meeting.
While Lior takes cybersecurity very seriously, at the event he used a light touch to share a series of real-world examples to get his message across: that our best first defense against cybercriminals is that employees need to be aware of what’s going on around them, and when they see something out of the ordinary, to report it.
Among the examples he shared:
Employees at a very large financial organization in Europe had taken photos at work and posted them on social media. Photos taken with mobile phones have by default meta data that includes GPS coordinates. A cybercriminal downloading the photos then would have the office’s GPS coordinates. Doing a little research on LinkedIn will unearth employee profiles, many that include technologies the employee is proficient in and uses at his or her current employer including, in some cases, a technology roadmap. This information in the wrong hands could cause colossal reputational damage.
At another organization, employees also took photos of their office space and put them on social media. The photo taker wasn’t aware that the photos showed confidential information clearly visible on a desktop.
Physical security properly in place? Not when someone properly dressed who looks like they can walk into the data center of a financial institution can walk in with a coffee mug with the company logo on it—or wearing, not the company ID badge, but a cord that looks like the cord employees wear to display their badge.
Lior also shared examples of cybercriminals manipulating email signatures and using the phone (the caller pretending to be someone he’s not) to get information.
How can we do better?
As IT leaders, we need to gather visual and audio evidence and show it to employees, and let them know that these incidents will never happen again, stating very clearly what is and what is not allowed. For instance, we need to educate employees about what is right and wrong on social media. Taking selfies in the office and posting on social media is never right.
Genesis10 helps companies to bridge not only security gaps but also the skills and experience gaps so prevalent in enterprises today.