Moving target: the ‘consumer’ scams set to become a business threat
Jon Fielding, managing director EMEA, Apricorn
The recent arrest in the UK of eight men suspected of running a SIM swapping ring has highlighted the level of disruption and large scale loss this type of cyber-attack can potentially cause. Also known as SIM hijacking, SIM swapping involves criminals tricking users or their mobile network providers into switching their phone number to a SIM card in the fraudsters’ possession. This allows them to gain control of the device, and receive calls and messages intended for the user – including texts relating to accessing accounts and changing passwords. They can then take over the user’s accounts to, for example, steal money and personal data.
SIM swapping is currently used almost exclusively to target individuals, with reports from consumers to Action Fraud rising 400% in five years. However, with cyber criminals looking for new ways to take advantage of people who continue to work remotely, businesses must open their eyes to the risk this and other types of ‘consumer’ scam could present in the future.
The expanding threat surface
Even as restrictions lift, employees are likely to continue working from multiple locations, using a mix of business and personal devices. Targeting these devices provides attackers with a potentially lucrative way of infiltrating corporate networks, systems and databases, as well the increasing volumes of data being stored on them.
In the case of SIM swapping fraud, network providers have ramped up security measures, but attackers continue to find a way around them. In February, T-Mobile disclosed a data breach after an unknown attacker used the tactic to gain access to customers’ account information, including personal details and PINs.
Businesses cannot rely on third parties to take action. They must protect themselves against SIM swapping fraud and similar ‘consumer’ scams – including phishing, copycat websites and malware – at the data, device and user levels.
Lock down the endpoint
Endpoint controls will secure any end-user devices – smartphones, tablets, laptops, home computers and removable storage devices such as USB drives – that connect to the enterprise network. By blocking unauthorised attempts to access networks and data at these potential points of entry, they enable employees to use their devices safely.
Solutions might include data loss prevention, detection and response, application control, privileged user access and network access control.
The most powerful tool in the endpoint security kit is encryption, which fully protects data whether it’s at rest or in transit. Organisations are increasingly turning towards company-wide encryption policies as a straightforward way of managing risk in the complex new working environment. Encryption is specifically recommended by Article 32 of GDPR as a method to protect personal data.
Empower employees
In an environment where the defensible perimeter of the organisation is fluid – and in many cases fuzzy – centralised security strategies and controls no longer suffice. This makes it necessary for IT teams to devolve some of the responsibility for protecting the company’s security posture onto employees.
Each and every member of staff must understand they have an active role to play in defending the business against cyber-attacks, and being vigilant about threats. They also need a full grasp of what that role involves – including knowledge of how to control risk. Companies should build awareness of how threats are evolving, and the kind of tactics criminals may use to attempt to penetrate the business, including those that take a social engineering approach most commonly seen in the non-corporate environment.
Training in basic security hygiene is important; many security breaches are down to something as simple as forgetting to change a password or clicking on a link from an untrusted source. Employees should be clearly and directly briefed on the company’s security policies, as well as the regulations the organisation is required to adhere to. Training and education programmes should be ongoing, and include freelancers and other third-party contractors.
Mandating the offline storage of critical data is one way of keeping it out of reach of hackers. Each employee should be made responsible for backing up their data locally, to a corporate-approved removable USB or hard drive that automatically encrypts any information written to it. The data will be unintelligible to anyone not authorised to access it, keeping it safe as it’s moved between office to home, and ensures information can always be recovered and restored in the event of a breach.
As the line between home and office continues to blur, it’s likely that so too will the line between the techniques employed to target individuals and those used to compromise businesses. A three-pronged defence that focuses on securing the data, device and user will ensure that the organisation can embrace new ways of working, while blocking any attempted raids by opportunistic cyber-attackers.
The post Jon Fielding: Moving target – the ‘consumer’ scams set to become a business threat appeared first on .
