Cyber Crime Methods Are Evolving

The cybercrime landscape is changing fast as criminals alter their operating strategies, develop new tools and techniques and take advantage of changes in consumer and business behavior. 

Mobile telecoms are vulnerable to cybercriminals as its popularity as a banking and e-commerce channel grows and more services become available via mobile apps. Criminals are also learning to exploit the fast-growing Internet of Things (IoT) market  by exploiting poor password practices to hijack  IoT devices.  

In addition, industry standards and global regulations are driving a digital transformation, yet opening up new points of vulnerability that have the potential to be exploited.

These techniques are used everywhere; in the workplace, on the commute, at the coffee shop and even in our bedrooms, social media has become a key component of modern life. 

Shielded by anonymity and with plenty of scope to uncover valuable information and catch employees off-guard, social networks are increasingly invaluable tools for cyber criminals, and often the first place they will go to gather intelligence on a target organisation. According to RSA, social media may be the fastest-growing communication channel for cyber criminals. Over six months, it observed a 70% growth in the volume of visible fraud activity on social media. So how can businesses protect themselves from the growing threat?

Understanding the Risks

The best way to mitigate cyber security risk is to understand how social media can be misused and identify known and unknown vulnerabilities. With a better understanding of the threats, stakeholders at all levels of the organisation will be more alert and informed, making the business less susceptible to the growing threat from social media cyber-crime.

Who works where, who reports into whom, what language and expressions do individuals use in posts and emails – there is a lot that cyber criminals can learn from social media accounts.

From a phishing attack to social engineering, there are plenty of methods of exploiting day-to-day business activity and using employees as the access points for attacks on organisations. Whether that’s trying to infect a network with malware, steal credentials or gain access to the building. Social engineering, for example, is widely used. Many people will accept friend requests on social media from people they don’t know, particularly if they’re attractive in their photograph, meaning cyber criminals don’t even have to impersonate a real person to access information being shared, target others in their network and gather meaningful intelligence.

As well as creating new identities, cyber criminals may also impersonate real individuals who either do not use, or are rarely active on social media, to target known friends, associates or the organisations they work for.

It’s not just individual employees that are potential informants; the company may unwittingly betray itself online by sharing too much information. This could be images that allow attackers to identify access control systems, the location of CCTV cameras, or posts about the suppliers and vendors they use. Cyber criminals can find this out by identifying who the company likes and follows on social media and who likes and follows them back.

Creating a Security Culture

With so many avenues into the organisation through social media, security awareness is paramount. Any individual in any role can be exploited as a weak link in an organisation’s armour, making it more important than ever to build an organisation-wide, security-aware culture with a clear understanding and appreciation of social media cyber risks.

Ultimately, it is staff that are interacting with pages, posts and clicking on links who, if they are properly trained, will be aware of the threats and able to identify them, they will inevitably be less likely to unwittingly give away information or expose the business to attack.

User training should be structured and ongoing, providing a continuous stream of information about the latest threats, what to look out for, and best practices to employ. It should also include simulations on a regular basis to improve staff understanding of the different types of attacks and how convincing cyber criminals can be in a safe setting.

As well as highlighting social media-linked threats, phishing emails and a range of other threats, a best-practice approach will also build in other protection methods such as multi-factor authentication, password managers, keeping browsers up to date and only using reputable plug-ins.

More sophisticated organisations will also undertake red team assessments to catch the business off-guard. This is a full-attack simulation that focuses on attacking all areas of the organisation, both through physical and cyber measures, making it an extremely effective way to test and build resilience.

Acting the part of cybercriminals, security experts will attempt to breach networks and systems, employ social engineering tactics via email, social media and in person, and will also try to gain physical access to premises and devices to expose and highlight vulnerabilities. Red teaming may also be goal-led and focus on testing bring-your-own (BYO) devices to gain access to the corporate network.

In a recent exercise, employees were sent a message from someone posing as a member of the organisation’s IT team. The email stated that one of the employee’s social media posts had breached corporate guidelines and had to be taken down immediately.

The email contained a link to the offending post (which of course was not a link to the non-existent article by embedded malware) prompting an immediate and emotional reaction from employees who were nervous about what they had posted and clicked on the link.

Damage Limitation

While awareness building, risk assessments and audits will go a long way to prevent cyber security threats, organisations must assume that an attack will happen. It’s no longer a case of if but when and organisations should focus on building cyber security resilience so that they can mitigate risk by ensuring that the business knows how to respond to specific threats.

In today’s digital society, any interactions on social media may be seized upon and exploited by cyber criminals. As with all threats, forewarned is forearmed, making employee awareness a must.

By working with an accredited cyber security specialist to develop a robust training programme, businesses can mitigate the potentially damaging consequences to the organisation, its reputation, and its balance sheet.

RSA:      TechNative:       Telegraph

You Might Also Read: 

Why An Effective Security Culture Is Essential For Your Organisation:



 

« The Global Cyber Security Market Will Be Worth $280b By 2027
US Increases Pressure To Stop Huawei 5G In Britain »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Metasploit

Metasploit

Metasploit penetration testing software helps find security issues, verify vulnerabilities and manage security assessments.

Veeam

Veeam

Veeam is the leader in intelligent data management for the Hyper-Available Enterprise.

CERT.LV

CERT.LV

CERT.LV is the national Computer Emergency Response Team for Latvia.

Fortress Group

Fortress Group

Fortress is specialized in confidential and discrete recruitment solutions and temporary staffing in the field of security and risk management.

AimBrain

AimBrain

AimBrain tools detect and prevent fraud, faster and more accurately than ever before.

World Congress on Industrial Control Systems Security (WCICSS)

World Congress on Industrial Control Systems Security (WCICSS)

The World Congress on Industrial Control Systems Security (WCICSS) is focused on emerging trends in protection of industrial control systems.

KETS Quantum Security

KETS Quantum Security

KETS harnesses the properties of quantum mechanics to solve challenging problems in randomness generation and secure key distribution and enable ultra secure communications.

IntelliGenesis

IntelliGenesis

IntelliGenesis provide comprehensive cyber, data science, analysis, and software development services that provide tailored, secure solutions for your critical data and intelligence needs.

Cyvatar

Cyvatar

Cyvatar is a technology-enabled cyber security as a service (CSaaS) provider delivering smarter managed security to help you achieve compliance and security faster and more efficiently.

Rolls-Royce Cybersecurity Technology Research Network

Rolls-Royce Cybersecurity Technology Research Network

Rolls-Royce has partnered with Purdue University and Carnegie Mellon University to create the Rolls-Royce Cybersecurity Technology Research Network.

Outsource Group

Outsource Group

Outsource Group is an award winning Cyber Security and IT Managed Services group working with a range of SME/Enterprise customers across the UK, Ireland and internationally.

1Touch.io

1Touch.io

1touch.io Inventa is an AI-based, sustainable data discovery and classification platform that provides automated, near real-time discovery, mapping, and cataloging of all sensitive data.

Cyber Crucible

Cyber Crucible

Cyber Crucible is a cybersecurity Software as a Service company definitively removing the risk of data extortion from customer environments.

Protect AI

Protect AI

Protect AI is a cybersecurity company focused on AI & ML systems. Through innovative security products and thought leadership in MLSecOps, we help our customers build a safer AI powered world.

Allstate Identity Protection

Allstate Identity Protection

Allstate make it easy to provide complete identity protection, so everyone can live more confidently online.

Afripol

Afripol

AFRIPOL was set up to strengthen cooperation between the police agencies of AU member states in the prevention and fight against organized transnational crime, terrorism, and cybercrime.