When you think of a hacker, you probably have some image of someone sitting in a dark room running weird programs to break into your computer and find your password. That’s how Hollywood and the media likes to portray hackers, but it’s rarely the way things are in the real world.
1. The inside job
Most of the time when data is stolen from a company, it’s done by a member of staff. It’s not like having to walk out of the office with a bunch of files hidden in a briefcase or under a coat: you can simply copy everything onto a USB stick, or upload it to a cloud service, or simply email the relevant information to someone. Anyone who has access to online services, such as company records, has the ability to alter or delete data, and it doesn’t take much skill to cover your tracks.
Depressingly, there’s often little you can do to prevent a malicious or unscrupulous employee from doing this – and it can come as a major shock to discover that a trusted co-worker has been leaking information to a competitor or fiddling the company accounts.
2. The ex-employee
This is a special case of the inside job. Disgruntled ex-employees may seek to get revenge for perceived slights by logging into the system and stealing, deleting, or altering data. If they have access to mission-critical software, data, or services, they can cause immense damage, perhaps locking you out of your own systems.
When an employee leaves, especially if they’ve been fired or there are other signs of discontent, you should immediately revoke their access to all services, change or delete their user accounts, and change the passwords for any shared accounts. This should be a top priority, even before escorting them from the building – otherwise they could be logging in from their phone on the way home and wreaking havoc within minutes.
3. The lost laptop
Far too often, data loss isn’t due to any malicious intent. Our working habits are becoming more flexible, and we use more and more portable devices, we work in unusual places, often in public… and then we leave those devices behind. If they’re not secured, anyone who finds them potentially has access to an incredible amount of data. Nobody’s immune: scripts for movies and TV shows have been left behind, sensitive government data, and corporate accounts. A friend recently found a smartphone in a bar, and found that he had full access to the owner’s bank accounts, Facebook, email, text messages, Dropbox, company server, and more. (Fortunately he’s an honest guy and returned it to the owner without taking advantage of that.)
Make sure that all your employees know that they must keep all their portable devices secured with PINs, passwords, fingerprints or facial recognition if they use them to access any company material. Using an unsecured device is as irresponsible as leaving the office unlocked when you go home
4. The social hacker
The easiest way to hack into a company is simply to ask. Top hackers will tell you unashamedly that it’s far easier and quicker than trying to hack your way in using software. For example, let’s say I wanted to get hold of information on your last quarter’s sales. I’d phone the company and ask for the name of the sales manager so I could set up a meeting. Then I’d call again and ask for the email address of a junior staff member in the finance team so I could query an invoice. Then I’d send an email to that junior, claiming to be from the company’s auditor, asking for the sales data, and saying that the sales manager had authorized it (or else just spoofing the manager’s email). There’s a good chance that I’d get the information I want sent straight to me – and I’d never even have to know a password or break into anything. Everyone in your company would have acted with the best of intentions, trying to be helpful, but unwittingly, they’ve handed out vital information to someone who shouldn’t have it.
It’s just as easy to get information from individuals. When you talk to your bank, they usually ask you for some information to identify you. So when your bank calls you to discuss something, and they ask you to verify your social security number, account number, mother’s maiden name, and date of birth, you tell them – but how do you know that’s really the bank on the phone? Have you just given your identifying information to a hacker?
And what about all those apps on Facebook which ask you to make your rapper name by using the name of your first pet and the town you were born in? Thank you, I now have the answers to two of the most common ID questions.
The answer is to be very careful about who you’re speaking to and what information you’re giving out. Never, ever give out usernames or passwords to people you don’t know, even to people claiming to be from technical support or customer management. Always double check any requests from unexpected external sources. And make sure every device you own is secured.