It is impossible to deny that hackers are developing more complex viruses and malware techniques all the time, and while many businesses view this as the most pressing threat to their IT infrastructure, they very often overlook the dangers posed by individual members of staff.
Companies can spend a great deal of time and money building the most secure network possible to protect their data from external threats, with solutions including firewalls and secure gateways. However, such technology does little to mitigate the risk of threats from within the business.
As a result, more low-tech methods of hacking are becoming increasingly widespread, which are exacerbated by the increasing use of personal accounts in the workplace among staff. We explore just some of these methods in further detail here.
1. Social engineering
This technique is one of many low-tech, high-yield methods used by hackers that seem too simple to be believed. The most common approach is to simply call an office and present themselves as a member of IT security and ask for remote assistance to their workstation. If this is done in a particularly matter-of-fact manner, a surprising number of people will provide access without question.
That said, social engineering has become more sophisticated in recent years, as the average user has become increasingly savvy when it comes to the more basic methods used by cyber criminals. For this reason, hackers have needed to become smarter in the ways they seek to obtain data.
For businesses, a common technique that is used is to trick a user into clicking a malicious link in order to give the attacker access to the entire network. If this email comes from a person the individual knows, they are much more likely to follow the action. It is easy for hackers to scroll through a potential target’s social media followers and pose as a friend or work colleague.
2) Baiting
Similar to the technique above, baiting techniques trick users with information that has been obtained about them. Put simply, a simple check of social media could show the individual is a big fan of Game of Thrones, so, instead of sending them a generic email asking them to click, they could tailor it to their tastes by saying: “Click here for Game of Thrones spoilers”. This method is often more successful as the user is more likely to click the button.
It is also simple for attackers to use the information listed publicly on LinkedIn by targeting an accounts employee of the company and posing as the CEO to request the transfer of funds to a particular account. It may seem far fetched, but there have also been instances where attackers listen to business conversations in public places, for instance, coffee shops, and infiltrate their network in that way.
3) Unsubscribe buttons
Another common way in which cyber criminals are misleading users is by tricking them to download malware from emails through unsubscribe buttons. All marketing emails must contain an unsubscribe link by law to allow consumers to opt out of receiving communications from a particular company.
Attackers could send emails to a user that appear to be simple marketing materials. However, if the user is not interested in the company, or is frustrated that the emails seem too frequent, they are likely to click unsubscribe - therefore pushing them to a malware site.
4) Keylogger
This simple software, also known as keyboard capturing, records the key sequence and strokes of a keyboard into a log file within a machine. These log files can very often include personal email IDs and passwords. This threat can take form as either software or hardware, and while software-based keyloggers target programs installed on a computer, hardware devices target keyboards, electromagnetic emissions and smartphone sensors.
The threat of keylogger is one of the primary reasons why online banking sites give an option to use their virtual keyboards. It is important to take extra precautions when using a computer in a public setting to avoid this.
5) Internal threats
Current or former employees of a business are a very real threat to a business’ security. Such individuals can gain unauthorised access to confidential data, or infiltrate the network with something malicious. Such internal threats can take several forms, including:
- Infecting machines with keylogging software that is loaded on to a simple USB drive
- ‘Shoulder surfing’, which is the simple act of one person observing someone typing their password
All staff need to be educated on the importance of being vigilant with their passwords. Failure to do so could be incredibly dangerous for firms of all sizes.
The need for widespread education on safer business practices is key for preventing cyber attacks to individual users within a business IT network. The less intelligent techniques adopted by hackers can be prevented with anti-spam filters and through training courses for employees about best practice. However, in order to be truly protected, businesses need a strict security strategy in place.
At Evaris, we strongly believe that more needs to be done to ensure that businesses are protected against cyber attacks, which is why we believe it should be compulsory for businesses to meet a minimum legal standard of IT security. We have created a petition to urge the UK government and the NCSC to put regulations in place to ensure all businesses meet a minimum legal standard of IT security.
Accreditations
