Introduction
In this day and age, workforces aren’t limited to the four walls of an office building. More businesses are implementing flexible work-from-home models that enable at least some measure of remote connections.
Similarly, cybercriminals aren’t only looking for places to poke holes within the organizational network. Think about it: What is a business except a collaboration of hardworking people? What are people except social creatures, bound to reach out and reveal themselves to others in their personal time?
When it comes to your business’s security, monitoring and protecting your employee’s work accounts may not be enough to prevent a cyberattack. Each and every staff member is also liable to reveal information on their personal social media, and that could give cybercriminals the information necessary to break into those professional files that they’re really looking for.
Effects on Security
Cracking someone’s password is undoubtedly one of the easiest ways to get into their account and access all of their personal documents. That’s why password security is the number one step for protecting a business.
Consider these very common types of passwords:
- Your pet’s name
- The street you grew up on
- Your mother’s maiden name
- Your favorite teacher in school
- The name of your children
- Important birthdays
- Password, password123, and similarly easy-to-guess variations
That’s not all. Common encryptions are the jackpot for interested thieves. That’s why changing cases, using numbers and symbols, and regularly generating new passwords are all common requirements.
Social Engineering in Action
Consider the following scenario: You run a small business with fewer than fifty employees. You’ve taken the time to train each and every one of them about the proper cybersecurity measures that they must on a daily basis in order to keep the business secure. The I.T. team is careful to send out regular risk assessments, training modules and phishing tests that everyone passes with flying colors each time. By all accounts, you’re a well-oiled, secure organization. Then a cybercriminal decides to target your business.
First, they begin scouring all the professional accounts connected to the company. That could include your professional Facebook page, Instagram, Twitter and whatever other business pages you hold on social media. But it doesn’t end there: They may also scroll through and notice that you recently lauded one of your top salespeople for their longtime loyalty and contributions. From there, they get the idea that this person most likely has access to plenty of important information since they’ve been doing such good work for the company for many years.
This bad actor then switches gears and starts looking through this salesperson’s accounts. Since the employee has been well-trained by your I.T. team, they don’t have anything telling on their LinkedIn or professional profiles. Yet with a little bit of a deeper dive, the criminal discovers the personal profiles of this employee. There, they talk freely about their hobbies; how excited they are to go to the park with their daughters, Ella and Stella; have birthday messages on their wall from just last month; and share other details of their personal life on a regular basis, as many social media users do.
With this information, the cybercriminal successfully guesses that his work password is a combination of his daughters’ names mixed with his birthday. Now, they have access to all of the company’s private information, just like that! Although this employee was very careful whenever he was working or on the office’s closed network, he spilled details on his personal accounts that ultimately led to severe financial damages for his place of work.
Conclusion
The previous example is fictional and simplified, but it nevertheless highlights the importance of cybersecurity 24/7. Crime doesn’t take a break, so precautions can’t either.
It’s not just passwords that are at risk when employees are lax with their personal info. Social engineering attacks take on a variety of forms that can play on people’s emotions and individuality to get them to expose the business, not necessarily maliciously, but through trickery and deceit.
Return to the previous example for a moment. Let’s say that our salesperson knows better than to make his password so easy to guess. Instead, the criminal notes his young children and pretends to be some kind of babysitting service that wants payment in advance. Maybe they create a fake profile and act like someone from their parenting group, and become friends online before convincing them to let down their guard.
There are all kinds of ways that cybercriminals can take advantage of private information on public profiles. Thus it’s not only professional accounts that need to be locked down tight. The tidbits gathered from your personal pages can be just as damaging in the long run. Cybersecurity is a 24/7 job.