We talk a lot about data security and apps and policies you can use to help keep your information safe on this blog. But not every threat to your data security is going to be computer-based. Recognizing and protecting against these threats is just as important to your data security as your firewall is.
Social Engineering Attacks
Ever had a conversation either in person, over the phone, or email that just didn’t sit well with you? Did you get the sense that the person wasn’t who they said they were? You may have been the victim of an attempted social engineering attack.
Social engineering is when an attacker, attempts to deceive you into giving up confidential information. We tend to spend the most time focusing on email-based phishing attacks, but social engineering attacks over the phone or in person can damage your business just as easily as an email based attacked.
Phone calls from someone claiming to be a representative from “IT” or an Internet Service Provider or the bank and asking for confidential information such as your PIN number, account name and passwords should send up big red flags.
So how can you defend against these attacks? Be suspicious of everyone. Do not, under any circumstances, ever give out confidential information over the phone to an unverified party no matter how trivial it may seem to be. An answer to a seeming inconsequential question about where you grew up could be the answer to a security question to get into one of your accounts.
Get to know your IT provider. Your IT vendor should be a very trusted provider. They should introduce new employees into your environment with a known member of the team to establish that trust.
If you receive a phone call or email from someone claiming to be from your IT department (or your bank, or your credit card company, or the IRS… these are all common tactics), hang up, call your IT team and verify that the person on the other end of the call is who they say they are. This ounce of prevention is always worth more than the pound of cure if the person is not who they claim to be.
USB Drive Attack
Picture this scenario: One of your employees find an unmarked USB drive in the parking lot of your office and picks it up, intending to return it to its owner. They’re not sure whose it is, so they plug it into their computer, hoping to find a file that may help them identify who it belongs to.
What it is intended to be a nice gesture by an employee could put your company at risk. That USB drive could have actually been dropped in your parking lot intentionally by someone hoping to get access to your files. So many attacks can be launched in the background that can initiate attacks like ransomware or introduce a backdoor into the network even if files from the USB drive aren’t opened.
Most people already know not to download attachments from unknown sources. Train your employees to treat unknown USB drives (or other external drives) with the same level of caution.
In the IT world, physical security has many facets. The big question you need to ask yourself is how easily can a bad actor get into my office and access my company’s data and how easily can they walk out of my office with a company device?
Think about controlling physical access to your building. How many doors stay unlocked just waiting for the wrong person to try them? Is your server room locked? Do you have any way of tracking who is going in and out of it?
Fingerprint scanners and keycard coded doors are a good option for locked doors that still let your employees come and go easily.
While it didn’t used to be common for actual computers to be stolen, the rise in popularity of small, lightweight tablets and laptops makes it much easier for criminals to walk off with sensitive data.
We’re not advocating chaining your employees’ laptops and mobile devices to their desks. That’s unrealistic and it’s just as likely for a phone with company information on it to go missing while out of the office. But there are some measures you can take to protect your data in the event a device does get lost or stolen.
First, consider data encryption. In every version of Windows since Vista, Microsoft has included a product called BitLocker. BitLocker will encrypt, or scramble, the contents of your hard drive so that if your computer is stolen, the thief would need your BitLocker encryption key to unscramble the contents of the hard drive. While this doesn’t change the fact that you would still need to replace the stolen computer, you can rest easy knowing that your data is not going to end up in the wrong hands.
Consider implementing policies for automated screen lock, password history, and complexity. While no one enjoys entering their password dozens of times in a day, it does decrease the likelihood of someone taking over an unattended workstation and potentially unleashing havoc on a network.
If you use removable storage like USB thumb drives, encrypt those devices as well. Products like Kingston’s IronKey USB thumb drives. These storage devices can be centrally managed or not and have tamper proof measures built into them to guard against physical theft.
Unfortunately, this is the world we live in. USB drive attacks and social engineering attacks are common and it’s growing more and more difficult to believe someone is who they claim to be. As with any data security threat, it’s best to exercise a little caution and train your employees to watch out for (and report!) any suspicious activity.