3 low-tech threats that lead to high-profile breaches

In an age where data security defenses are getting more and more sophisticated, there will be increased pressure for malicious parties to glean information from within the organization's walls or public places.

Moving forward, we can expect to see a shift from hacking networks to a focus on hacking people. The tactics used to hack people are not highly sophisticated and can encompass relatively stealth threat vectors, making them hard to trace. It seems simple, but it's important not to overlook the low-tech threats in our high-tech world.

[ A look back at 2014's data protection nightmare ]

Here are three threats that all IT professions should be aware of and take necessary steps to mitigate:

Visual hacking

Visual hacking, a low-tech method used to visually capture sensitive, confidential and private information for unauthorized use, is an under-addressed corporate risk. After all, a hacker often only needs one piece of valuable information to unlock a large-scale data breach.

Take this scenario: A malicious third party enters an office space under the guise of being with a vendor or as a building worker. The individual is given a building pass and essentially has free roam of the office. It is all too easy for this person to snap a photo of an employee's device screen as it is displaying access and login information credentials. The malicious party has visually hacked the company and now has the ability to penetrate deep into the organization's networks and launch a cyber attack.

Addressing this concern: Taking steps to shift workplace culture to value visual privacy is necessary to combatting this emerging corporate risk. Policies and procedures should address visual hacking on devices and physical documents. Employee awareness and communication programs combined with ongoing education about visual hacking and other low-tech threats can also help.

[ 6 ways to stop criminal attackers in their tracks ]

Equip employees with tools such as privacy filters and the 3M ePrivacy Filter for visual privacy from virtually every angle as a part of a larger visual privacy toolkit.

Insider Threat

Data loss as a result of employee behavior should be a major concern for IT professionals today. More and more examples of this pop up on a seemingly daily basis. One of the most recent incidents occurred at Sony Pictures, where hackers under the guise of GOP (Guardians of Peace) claim to have utilized insiders to gain access to the company, compromised records and threatened to hold company data ransom unless demands were met.

Careless employees, particularly those that have access to company networks through BYOD or company-issued devices, can easily compromise company data or intellectual property and may be leaking data without even knowing it. A second category, disgruntled employees, can also pose a serious threat to proprietary company information. These employees may be lured by the potential of financial gain or have a spiteful agenda. As the hackers in the Sony Pictures incident claim, employees with similar interests to the hackers may also be persuaded to join their cause and assist with attacks from the inside.

Addressing this Concern: In the case of the careless employee, lack of awareness and lack of diligence play large factors in data loss. IT professionals can help mitigate the risks by ensuring that corporate policies and procedures that include language on professional conduct with company data and increase efforts to communicate these to employees. Taking an extra step to ensure that devices have remote wipe capabilities in the event that a phone or laptop falls into malicious hands. In the case of disgruntled employees, monitor for suspicious behaviors, particularly following a bad review or probationary period.

Social engineering

Rather than using high-tech hacking techniques, social engineering attacks happen when a malicious party gains access to company systems or data by exploiting human psychology. A social engineer may strike by calling employees posing as a trusted vendor or member of the IT team that needs confidential information, like passwords and email addresses, to rectify an issue with the server. Or they may try to gain access to company networks through "spear phishing," sending through an email pretending to be a friend inviting the employee to click on a link.

[ Do you create stupid users? ]

Once the malicious party strikes, it's not hard to penetrate deep into a company's networks and databases. Today's social engineers are extremely savvy, often studying companies prior to launching an attack, becoming familiar with their activities and lingo while projecting confidence and using reason to disarm social engineering victims.

Addressing this concern: Raising awareness is of the utmost importance when combatting social engineering. Creating a communication campaign that highlights real-world examples can help employees recognize that social engineering attacks are real and can take various forms. Employees should also be encouraged to report suspicious behavior to IT managers.

The threat landscape is ever evolving and as firewalls, anti-malware and other high-tech defenses make company databases harder and harder to penetrate from the outside, hackers will look to hack human assets to gain access to confidential information. IT professionals and leadership need to take steps now to put defenses in place along with company policies to safeguard against these low-tech threats.

Larry Ponemon is chairman and founder of the Ponemon Institute, a research "think tank" dedicated to advancing privacy and data protection practices, and chairman of the Visual Privacy Advisory Council, a panel of privacy and security experts dedicated to raising awareness for the issue of visual hacking.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecuritydata breachVisual Privacy Advisory Councisoftwareinsider attackdata protectionsocial engineering

More about Sony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Larry Ponemon

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts