You would never let your kids use their “Show and Tell” time to share your family’s finances, vacation plans and home security system code. I wouldn’t either. While we’re all fairly well informed about risks in our physical environments, we tend to be woefully exposed to comparable risks in the ultimate show and tell forum of our digital worlds.
Digital Breaches Dominate the Headlines
You may have missed the recent news that some media outlets describe as one of the largest-ever securities fraud schemes. A pair of Ukrainian hackers penetrated the computer systems of leading press release distributors to gain advance access to earnings reports, mergers and acquisitions announcements, and other information impacting stocks from publicly traded companies before the information was released. The hackers then passed the information to traders who hedged their bets accordingly.
The good news is that the U.S. Securities and Exchange Commission has filed a civil lawsuit against 17 individuals and 15 corporate entities worldwide who collectively may have harvested more than $100 million in illegal profits over five years. The bad news is that hacker stories like this are regularly making headlines – Ashley Madison, Anthem and many U.S. government agencies are among the most prominent victims profiled over the past 12 months.
Hackers Help Themselves to the Digital Keys We Leave on the Back Porch
I can’t but help feel that the media tends to let readers believe that hackers are performing “cyber-ninja tricks” to access our secret data. But that’s simply not true. Many data breaches result from simple social engineering or phishing. Both are “good old fashioned” cons. One is generally perpetrated directly and the other via electronic subterfuge.
How do Cyber Criminals Decide Who to Target?
It’s simple: they devise a scheme for making money and select a target (take for example, the 225,000+ iPhone users recently hacked). Then they go out and find people, vendors, employees, executives or others who are somehow associated with the target.
Where Do They Troll for Potential Victims?
Google and social media, just like the rest of us. How many of us have LinkedIn or other social media profiles that clearly state where we work? How many of our firms have websites listing employees and their titles?
Access to public information makes easy work for savvy hackers who then peruse personal profiles and social media to learn about a target’s family, friends, interests, activities and “likes.” With this information in hand, they tailor their phishing or social engineering scheme to the individual they are targeting. You may think it’s innocent enough to post a picture with a geo-location from your high school reunion or list your hometown under your “About me” section on your Facebook, but doing so can easily provide anyone with answers to those “top secret” security questions when resetting or changing your password like “What high school did you attend?” or “In what town or city were you born?” All of this information is easily discoverable on many social media accounts.
I heard one cyber security expert comment that he interviews hackers who have been convicted of various levels of cybercrime and asks them why they chose this type of method for gaining access to data, He was surprised at the simplicty in their responses: it’s easy, it costs them nothing, and it works!
Weigh the Benefits of Public Sharing with the Risks – Always
Next time you share something publicly – as an individual or a family, or as a corporate team – think about the potential risks. Would you put a big sign in front of your house alerting neighbors and passersby that your family is taking a two-week vacation abroad? Probably not, so don’t post it to your Facebook either.