Could your summer holidays put your business in danger of cyber and physical attacks?
Summer is here and for many businesses August is the official month for holidays at least where I reside. A time to recharge your batteries so that you can start the new business year full of energy, new ideas and goals. It’s a very essential period of time to recover and re-evaluate and while you focus on your well-being what about your businesses’ well-being?
Have you prepared it for the holidays?
In order to prepare your business for the holidays season security wise there is one valuable question you have to ask yourself which will enable you to relax and re-energize while you know your business in not in danger and that is:
How vulnerable is your business during the summer holidays and what can you do to patch/cover or better yet, remove the potential vulnerability?
So, let’s dive into it, shall we?
For today’s article, I will cover Social Media.
You use social media for your business promotion. Whether the medium is Facebook, Instagram, Twitter, Medium, Pinterest, LinkedIn, Snapchat it does not matter. Please note that this is not an exhaustive list of attack scenarios. I could go into so much more detail on the dangers that come with each social media platform, building attack scenarios but let’s focus on the basics.
Holiday time is accompanied with four danger categories related to social media.
Usually people announce where they will travel to, for how long they will be away, who is travelling with them and the exact dates related to the trip.
Such an innocent announcement, right? Wrong! That is such a dangerous habit for four reasons.
Limited focus on business accounts during the holiday period
Your business accounts will be unattended to during this period of time so if a cyber-criminal uses them against your business; you will not be able to know it immediately. As an example, let’s take a scenario where I cyber-criminal wants to attack your business during this period of time. They will evaluate you and analyze your online (and offline if they can) behaviors and habits. They already have all the information for your journey and as this is a private account they know how you express yourself in public. A potential cyber-criminal could get access to your Facebook account (Facebook account passwords are very easy to crack even for script kiddies.) As they access your account they can see how you express yourself in personal messages with colleges and collaborators as well and mimic you. Not so difficult to do; just a photo of the place you are visiting with a drink on the table (not you in reality) and your style of writing: “George I am having a great time here! You should consider visiting soon. I completely forgot this task and as you are closer can you please do me a favor and run to the office to upload this file? That’s it! Just like that they got into your systems. Thus, they could send a message to one of your employees to open a specific file and trick them into opening it allowing the cyber-criminal full access to your data.
Ok, this is easier to do for small businesses and entrepreneurs because they do not have even established security principles but what about large corporations?
Forcing you to bypass a standard secure procedure
If you are a big corporation guess what; Methodology of attack does not change. The only thing that changes is the resources they will need to make it happen. So, in your controlled environment you are fine but what if they manage to change just one parameter of your security?
As Tony Robbins says, the defining factor is not resources, it’s resourcefulness. That is one of cyber-criminals’ character trade, resourcefulness and it can become a really valuable asset when it comes to sophisticated attacks.
Cyber-criminals can mimic a collaborator of yours to contact you for an urgent matter forcing you to bypass a standard secure procedure you have by sending you something you need to access your systems for and you are doing it abroad from unknown public WI-FI network or your phone data plan. And for those of you who are skeptical, it is not difficult to trick your phone to send information through a fake cellphone tower. Just imagine using that tower for second factor authentication!
They could even have tricked you in to thinking that they are your WI-FI. In such attacks, the cyber-criminal may go on holidays with you! It’s a more expensive high-profile attack but yes, con men can do that and they do. They just need you to break a secure procedure habit if you have sophisticated security established and they can go to great lengths to achieve that.
Combining different types of attack to perform a single attack
And let’s not forget physical security. Giving out this information notifies attackers you will be away from the office that period of time. Mostly for entrepreneurs and small businesses but it could also apply to larger organizations; leaving the office unattended is essential. A criminal could combine cyber and physical security to damage you. During the holidays, your business is closed or is operating with minimum staff which means that a physical attack would be easier. Just tricking one of your employees to access the office space and install or place a device in an area not easy to locate or bypass your alarm systems in case it is closed it is not that easy to do. Even in businesses with sophisticated security. Do you think it is difficult? Asking your personnel, a question while they are locking up could end up seeing your keypad password to access the space or they could install a camera rigged to an electricity switch across the keypad. Cameras today come in the size of a pin! Or if they are really smart and able to perform sophisticated attacks they do not even need a pre-visit at all. They could get your passcode in a minute being at the front door key-pad. There are so many ways.
Please note I avoid giving the exact attack plan scenarios for obvious reasons. I just provide an outline of them just to enable you to visualize the danger. The point is to help you avoid it, not to educate attackers on how to do it effectively.
Taking advantage of the environment of the account
Your social media accounts give up your location and a lot of other information. Just the simplest attack of stealing or cracking your passwords could end up giving them information on where you are or giving them access to other accounts. Most people have the bad habit of using the same usernames and passwords across many of their accounts personal and business ones. Do not underestimate cyber criminals. Especially for sophisticated attacks they have expertise in what I call “behavioral security and deception”. You see social media have not been designed with security in mind and are by default a weak link for your security thus, you need to come up with out of the box ways to bypass their limitations.
Have you noticed the pattern?
All of the attack scenarios I presented combine social engineering, physical access and wrong habits. Overall the scenarios are completely depended on you enabling the attack the criminal orchestrated against you.
Please note, that this is not an exhaustive list of attack scenarios related to social media. Just a sample in order to demonstrate my point. Additionally, notice how I used just one simple piece of information! You do not want to know what attacks scenarios I could come up with if I had more information from your profiles. As a rule of thumb, just two pieces of information are enough to damage your security and today people do not seriously consider where they provide that information, unfortunately.
You do not need to know all the scenarios. It is my job to define the scenarios and create solutions to defuse them while giving you the solutions that feel like second nature to you. That is why I have created an activity sheet just for you to download with things you can do right now and with no cost in order to protect your business from the scenarios I have presented in this article. Please let me know how it feels to be secure and at the same time if the solution is difficult or easy for you to implement!
In the next article, I will give you more information on holiday oriented attacks and how to avoid them!
You can download the checklist here