The boundary between work life and personal life that was already softening before the pandemic is now well and truly blurred. As the line that divides home from office becomes ever more hazy, it seems inevitable that businesses will see a rise in certain types of cyber-attack that have previously targeted consumers.
The use of social engineering is nothing new to any of us, but it’s a tactic we’re probably more familiar with outside of the business environment. Take SIM-swapping – or SIM-hijacking – for example, which is on the rise. Just last month, T-Mobile disclosed a data breach in which an unknown attacker used SIM-swapping to gain access to the account information of hundreds of customers, including personal information and PINs.
SIM-swap fraud involves cyber-criminals taking control of users’ phone numbers after tricking them, or their mobile providers, into switching the number over to a SIM card in the scammers’ possession. This allows them to ‘take over’ the device, and receive calls and messages intended for the user – including texts relating to multi-factor authentication (MFA). They can then access the user’s accounts to, for example, change passwords, intercept emails and steal money and personal data.
In Their Sights
On the whole, SIM-swapping is currently used to compromise individuals, and no T-Mobile for Business customers were affected by the incident. However, organizations should be aware of the risk this and other kinds of ‘consumer’ scams – including phishing, copycat websites and malware – could increasingly present. It seems inevitable that criminals will target employees who continue to combine home and office working, in order to infiltrate corporate networks, systems and databases, as well as access the increasing volumes of data being stored on devices.
T-Mobile did take action following the breach – quickly terminating the activity, and recommending that its customers change their PINs. Businesses need to be much more proactive: putting in place stringent safeguards to protect themselves against being compromised and, importantly, to strengthen their resilience in the event that attackers find a way around their defenses.
Secure the Data and Device
Applying endpoint controls such as data loss prevention, detection and response, application control and privileged user access will block unauthorized attempts to access corporate networks and data via devices that connect to them. This means that whatever hardware the employee is using to carry out their work – from corporate laptops to personal tablets – they’ll be able to do so safely.
Implementing a company-wide policy that requires the end-to-end encryption of data will provide a straightforward way of managing risk to critical information as it’s moved and stored. Encryption is specifically recommended by Article 32 of GDPR as a method to protect personal data.
Being able to show that these measures were in place if an attack occurs also supports resilience, giving organizations the ability to demonstrate transparency and due diligence in the event of a successful breach.
Arm the Workforce
Centralized security controls no longer suffice in a dispersed, constantly shifting working environment. Employees will need to be given more autonomy if they’re to play their part in defending the business against cyber-attacks.
By providing employees with removable USBs and hard drives that automatically encrypt all data written to them, companies can give the entire workforce the capability to securely store data offline and move it between office and home safely. Making individuals responsible for backing up their data locally, on a regular basis, will support the ability to get up and running quickly following a breach or other disaster, by restoring from a clean, protected data set.
Employees need to be equipped with knowledge as well as tools and technologies. They should receive ongoing training in how threats to the business are evolving, what to look out for, and basic security hygiene measures such as when to change passwords. In addition to understanding the company’s security policies and how to adhere to them, staff should be educated in why their role is important – with real-world examples of threats and descriptions that bring to life the specific risks the business faces.
As employees continue to work from multiple locations, using both business and personal devices, their organizations are at risk of the large-scale disruption and loss made possible by new types of attack that have traditionally targeted individuals rather than businesses. Arguably, no organization is immune. Every business should act now to safeguard themselves and mitigate the impact of any such attack, on a data, device and user level.