Did your organization suffer a hack or data breach last year? If your company made it through 2018 unscathed, you have every right to feel relief. The entire year felt like an unending news cycle, with cyber attacks launched and data stolen at an unprecedented scale and scope. However, your relief should not give way to complacency. Even if your brand stayed safe and your network secure last year, there is plenty to worry about this year and beyond. If you read the news and sit back congratulating yourself, you are underestimating the risks.
Breaches are a Cumulative Danger
We must rethink data breaches. They are no longer singular events. They are interconnected because more data flooding the marketplace empowers criminals and hacker groups with a richer gold mine for launching sophisticated social engineering attacks against your company's employees and VIP personnel. In this way, the threats facing your organization actually compound with each new breach. How so?
Let's start with a look back at the biggest breaches to grab headlines in 2018:
- Facebook - 50 million accounts compromised as result of access token hack
- LinkedIn - 66 million accounts compromised from unprotected DB
- Quora - 100 million accounts hacked
- Marriott - 500 million accounts breached, including detailed PII like passport numbers
Those are only a handful of the most prominent hacks, and we're already at three-quarters of a billion people. Almost certainly there are overlapping data sets. One person could be victim of all or some of the hacks above. Each data point paints a more accurate picture of an individual, and therefore makes social engineering more precise and more difficult to spot. If humans are the weakest link in a network security infrastructure, each data breach accelerates corrosion.
This isn't hypothetical. Barely into 2019, and we've discovered that these data sets are indeed being compiled by hackers. "Collection 1," the largest single data set to date contains 770 million email addresses and passwords. Take a moment to scroll back up. Collection 1 is bigger than 2018's four biggest hacks combined. More importantly, the collection is “made up of many different individual data breaches from literally thousands of different sources," reports the Guardian.
So how do these data breaches affect you and your company? Let's take a single data point, a victim's email address. This address is the most likely gateway into a user's social media account. Let's play it out:
Example 1: The Professional Route
- With email and password, an attacker could take over an employee's account and spread malware to other employees in your company through what appear to be friendly links.
- Correlating data, hackers could simply phish any number of your employees with links to job listings or professional development events.
Example 2: The Personal Phishing Expedition
On Facebook, hackers could pose as a relative sharing a funny link, or a fake business linking to a contest, all to phish one of your employees. This is easily done outside typical working hours, and can go on for as long as it takes to build trust. From there, the bad actor can jump from your employee's phone once he/she is on the company WiFi, or they can jump social networks, moving from the friendly environs of Facebook and Instagram to LinkedIn, which is more likely to be opened on company computers during working hours.
The data is out there, and criminals have nothing but time to study it. Longer cybersecurity training sessions at work won't protect against these attacks. They can reach your employees outside your network, while they feel more comfortable at home, browsing on their personal phones. Deeper investment in endpoint won't cut it either. These attacks will get to your employees data directly from in-app activity.
What to Do About It
It's time to start reading the headlines with your employees in mind. More breaches are on the way. Don't breathe a sigh of relief. Make it a part of your standard protocols to survey your workforce to find out if anyone has been affected by recent breaches. You're asking people to admit to something, so be clear about your intentions and why you want to know. Take the time to educate your employees about why breaches outside your company are still a threat. And, of course, there needs to be a measure of confidentiality. For example, if an employee was part of the massive Ashley Madison breach a few years ago, they probably aren't eager to raise their hand. But regardless, if they are vulnerable, your enterprise is, too.
Therefore, be clear that you value them as an employee and want to protect them because it will keep everyone else safe, too. Proactively change affected users' company credentials, but also take out an insurance policy by offering to protect affected employees' social accounts. Employees will take ownership of their personal security, which is easier to understand and practice than wide-ranging company policies. Simply put, they have skin in the game. Using this approach, you can protect your enterprise from attacks by neutralizing the tip of the spear, adapting to the compounding risks posed by new breaches.
Protect your people, secure your enterprise. Contact us today to learn more about the SafeGuardMe mobile app and protecting your people without fear.
July 3, 2020