This blog post was inspired by some recent news I heard about a company some of my friends work for. They just had an incident where someone spoofed the email address of an executive in the company and all of the employees’ W-2s were emailed to an unknown party.
All of the people that work there with are now having to deal with credit bureaus and have to live with the fact that their personal information is in the hands of someone else who can use it to affect their credit for the rest of their lives.
How does this happen?
Believe it or not, most “breaches of information” as many companies call it are technically not breaches at all. They are leaks mostly due to individuals falling for social engineering schemes, most of these being phishing. In the case above, the unknown individual used a tactic called spearfishing which involves studying your target’s end users to determine who is most likely to have the information requested and respond to the request. When these types of phishing messages are opened, their success rate at receiving a reply is an astounding 50%.
For more information, here are a few previous posts from the SandStorm IT blog that dive deeper into Social Engineering and Phishing:
In addition, Wikipedia has an interesting article about social engineering that list some of the different types that are out there and some examples.
What can I do to protect my business?
The most important thing that you can do is to ensure that your employees who are responsible for protecting data receive the proper amount of training that they need to effectively complete their job. This means training them on the various methods of social engineering and other forms of attack that they may encounter in their day to day responsibilities and how to recognize potential attacks and avoid data loss.
Also, it’s a good idea to have policies in place that restrict or eliminate the transmission of any sensitive data over electronic media. This may not be applicable in all cases, but sometimes just requiring your employees to pick up the phone and verify verbally that the requestor requested the information will stop a potential leak in its tracks.
Additionally, there are software-based options called data loss prevention that scans emails for social security numbers and other personally identifiable information and prevents the email from being sent out of your network. Used in conjunction with user training and corporate policies, these will go a long way toward stopping your protected information from leaving your network.
Don’t just think that your employees are able to recognize when they are being targeted. Take precautions now and have confidence that they will be able to. If you don’t you risk losing not just your employees’ information, but their trust, and money that you will have to spend protecting their credit and protecting you from lawsuits.
If you have any additional questions or would like to discuss how to better protect your business, call to your trusted IT partner, SandStorm IT at 901-475-0275.