With implementation of the GDPR in May, businesses are obliged to keep personal data secure and to notify the Information Commissioner of any breaches. Your weakest link is the people you employ.
While hackers are one risk but you have almost as much to fear from your employees.
Emails purporting to be from HMRC, Employment Tribunals, even people whom your employees might know (see below) are becoming increasingly sophisticated and convincing. They invariably contain links that compromise security if the recipient were to click on them. Although grammatical errors and spelling mistakes often alert you to their nature this may not always be so.
Availability of names
If you know the names of people (say John Smith) in an organisation, say, blogs and Co it doesn’t take much to realise that firstname.lastname@example.org is a real email address. If you know that John Smith is the M.D. then an email purporting (easy to do) to be from John Smith may make anyone in that organisation jump (or forward some money). Names, of course, are often available on your website.
This can go along lines such as: “This is Emma at IT here we’ve detected a problem with your printer and we just need your password to resolve it / can we connect up to it remotely to resolve the issue, etc.” This works best if there is an Emma in IT but the recipient doesn’t know her voice. “Social engineers” research diligently for names and information that helps to practice this form of deception.
The nation’s favourite password is “123456” followed closely by “password”; other popular ones can be found on the internet. Exploiting one entrance to your systems can lead to further depths.
A relatively new scam is to set up a router in a hotel car park (for example) with a name that matches the hotel. So your salesman sits in the hotel lobby thinking they are on a safe connection. Meanwhile all they enter passes through the hackers router.
Technical hacking and employees
It should go without saying that firewalls, anti-virus software, and industry standard backups and routers are the first line of defence. But professional hackers are on the increase and often sell on their hacking tools to others. There is more information here.
Information gained from hacking activities combined with social engineering with employees provide powerful routes to your data.
What to do
Internet and email policies, data protection, bring your own device to work policies can address many of these issues. But staff are unlikely look at your policies unless they are easily accessible. Our online handbooks not only make policies accessible you can know whether they have been viewed or not.
Your staff need to be alert to all the ruses that social engineers have and may use to trick them. Once they understand the vulnerabilities they are more likely to follow your policies.
3. Penetration tests
These, essentially, are tests, by an accredited agency, of the security of your systems. Acting like hackers the agency will seek to penetrate your security systems and you might be surprised what they can find out. Knowing your vulnerabilities gives you the knowledge to “close the doors”.
Take these steps and you will be improving the security of not just your personal data, as the GDPR requires, but much more valuable information that could leak out of the organisation.
Employer Solutions takes your data seriously, we have also taken these steps and hold the Cyber Essential accreditation.
Malcolm Martin FCIPD
Author Human Resource Practice