Author: Sergio Luis Bertoni, the Senior analyst at SearchInform
Approximately half of all data leaks happen accidentally. However, the possible harm, caused by employees’ accidental actions isn’t limited to the exposure of confidential data. Sergio Bertoni, the Senior analyst at SearchInform reveals typical mistakes basing on the real life stories.
1. USAGE OF PRIVATE EMAIL FOR CORPORATE PURPOSES
Usage of private email isn’t the safest method for both sending important corporate documents and discussion of issues, related to business processes. It’s a well-known fact that famous people or politicians accounts are often cracked, there is plenty of such news published regularly. However, ordinary users can also easily fall victims to such attacks. Intruders are very interested in the content of email correspondence, at least, because it can be resold. If it’s also known that a user keeps some confidential or valuable data, he/she may easily turn into intruders’ target.
For instance, there was a case when a former large telecom company top-manager’s gmail account was hacked. As a result, besides his private messages some corporate data was exposed as well. This contained the following:
- Addresses
- Passport issues
- Commercial offers
- Company’s and partners’ internal documents.
2. OPENING OF PHISHING LETTERS’ ATTACHMENTS
Although phishing is a very famous and popular technique, however, it still remains extremely efficient. Users often open phishing letters’ malicious attachments. The following case is illustrative in this regard: when a large bank information security department officers sent letters to employees on behalf of the company’s executive, 80% of employees opened the email. Thus, after the simulation the InfoSec officers developed a special training game for employees, which was aimed at increase of staff members’ information security literacy.
So, when checking your inbox, it’s strongly advised to be very attentive and be sceptical. Always doubt emails from unknown senders, check whether the company, which the sender claims he/she works for really exists. If the letter sent to you isn’t important and is a suspicious one in addition, just ignore it. If this letter is a potentially important one, make sure that a real employee of the organization has sent you the letter. Check if the e-mail address is real, if it exists, or if it points to an unknown site or "alphabet soup". Check phone numbers and call the official phone numbers only. These numbers are mentioned on the official organizations’ web-sites. Never call the phone numbers, mentioned in emails from unverified senders. If the employees of organization, mentioned in the letter haven’t sent the email, mark it spam.
3. USAGE OF PUBLIC SERVICES FOR COLLABORATING WITH OTHER USERS
Cloud services, services, which enable collaboration with other users, as well as public domain emails are vulnerable in terms of cyberattacks. However, more often users provide access to confidential data themselves when share important confidential documents via services, which shouldn’t be used for these purposes. For instance, when they share documents via social networks, free cloud services, services, such as Trello or GoogleDocs.
4. ACCIDENTALLY EXPOSE CONFIDENTIAL DATA
It should be noticed, that, in fact, such mistakes take place much more often than one may think. Typically, such mistakes are made by:
- Speakers, who try to make their presentation more convincing.
- Media commentators, who give comments to journalists and get too excited during the conversation.
- Participants of conferences, who say too much during informal discussions.
Another channel of data leaks, which isn’t so obvious, is MBA term papers. Tutors recommend to rely or real life experience and data and avoid abstract theoretical discourse. That’s why students include some real confidential corporate data to his/her work. Obviously, there aren’t any guarantees that the data from this term paper won’t be exposed in the future.
5. SENDING OF CONFIDENTIAL DATA TO THE INCORRECT RECIPIENTS
Another typical threat is that employees send confidential data to the wrong recipients. Most typically this happens because of inattentiveness or because a user was in a hurry. The situation when it’s required to immediately reply to an email is quite typical, all of us have to face with it from time to time. So, an employee replies all or sends the letter to some or all the users, who have the same surname. Thus, an employee accidentally exposes confidential data.
I can share our client’s story to make it more illustrative. The company’s accountant accidentally sent trove of confidential documents to the wrong person. In fact, she did it without any malicious intention. The situation is quite similar with the paper documents. When they are used as drafts or not disposed appropriately (when they are simply thrown into a trash can, without being shredded), they also turn into a dangerous data leak channel.
6. USERS NEGLECT ENSURING SAFETY OF ACCOUNT CREDENTIALS
Forgetful employees leave some reminders, containing accounts credentials in areas, where they can be easily obtained by third parties. Most often such reminders can be found under keyboard, in the notepad on the table or on a sticker glued to the monitor. Another widely spread problem is that very often employees don’t extract security tokens from the USB.
Quite an exotic case of credentials exposure happened in 2015, when TV5Monde channel employee accidentally exposed YouTube password. Ironically, this happened live, when reporter was telling about a cracker attack, experienced by the TV5Monde. The problem was that the picture of a list of paper with the password was broadcasted. Of course, crackers didn’t hesitate to use this opportunity once again.
7. USAGE OF UNRELIABLE CORPORATE PASSWORDS ON EXTERNAL RESOURCES
If a user wants to follow all the safety recommendations then it’s required to keep in mind at least a few dozens of crypto resistant passwords. What’s more, according to the information security requirements, such passwords should also be changed once a month. It’s quite easy to understand that, because of such frequency, users often update password by simply adding a new symbol to it (for instance, qwertyuiop, qwertyuiop1, qwertyuiop2). In some cases, instead of making a password more safe, users, vice versa, weaken it. In order to adopt the security requirements to the real life circumstances special application for keeping a password may be used.
8. EXPOSURE OF CONFIDENTIAL DATA IN SOCIAL NETWORKS
The will to attract attention in social networks poses serious threats to corporate security. There are numerous cases when employees publish selfies, taken in secret areas, photos of whiteboards with some confidential data etc. on such resources like YouTube, LinkedIn or in other social networks.
The list of ways in which corporate data can be carelessly handled is long. It is very important not to become the culprit for such an incident. Training employees in security policies and legal compliance is important. Of course, this does not always solve the issue and information security incidents do occur. Using special protective software (from antivirus to DLP systems to content filters) is the effective way to avoid incidents like sending data to the wrong recipient or opening a malicious file. Computer literacy and attentiveness are very important measures that help protect an organization against a large number of corporate and personal problems.
Comments