By James Smith, Principal Security Consultant & Head of Penetration Testing at Bridewell Consulting
Each day, thousands of businesses fall victim to cyber crime, with malware and ransomware among the most prolific threats. Increasingly, cyber criminals are also adopting highly targeted attack vectors, intensifying their use of phishing and social engineering to gather information and exploit vulnerabilities by deceiving employees.
In the financial services sector, information theft is a particular target. Large or small, businesses handle incredibly valuable customer data that can be sold on the black market or be used to access valuable assets.
Sheltered by anonymity, networks such as Facebook and LinkedIn are often the first stop for cyber criminals looking to gather intelligence before closing in on their target. According to RSA, they have now become one of the fastest-growing channels for cyber criminality: over six months, it observed a 70% growth in the volume of visible fraud activity on social media.
As with other security threats, forewarned is forearmed. While it is impossible to identify every risk, understanding how social media may be misused and recognising known and unknown vulnerabilities will go a long way to help safeguard against myriad threats – including fraud, information theft and other online criminality targeted at the financial sector.
Information goldmine
Any employee can be exploited as a weak link for cyber criminals. As such, it is more crucial than ever for businesses in the financial sector, and any other organisation with valuable digital assets, to create an organisation-wide, security-aware culture.
Social media platforms, email and even corporate websites can yield a lot of valuable information that may be used as part of a targeted cyber strike. For example, who works where, who reports into whom and even the language and expressions that individuals use in posts and emails may be used against the organisation.
In many cases, cyber criminals will seek to exploit human vulnerabilities and use them as the access points for attacks on organisations. Hiding behind false identities, social engineering is a particular threat on social media platforms: despite the risks, many people will accept friend requests from people they don’t even know – particularly if they are attracted to their photograph.
As well as creating new identities, cyber criminals may also impersonate real individuals, especially those who do not use or are relatively inactive on social media to gather meaningful intelligence or target others in their network.
Corporate social media too is also a potential threat that may betray useful information. This may include the type of access control system an organisation uses, the location of its CCTV cameras or its regular suppliers and vendors, which might be identified by something as straightforward as who the business likes and follows on social media – and who likes and follows them.
Red alert – testing resilience
Inevitably, cyber criminals will seek to exploit individual employees as a weak link. However, if they are properly trained, more alert and better able to identify security threats, they are much less likely to expose the business to attack.
Security training should be structured and ongoing, informing employees about the latest threats, what to look out for, and best practices to employ. As well drawing attention to social-media-linked threats, such as social engineering and phishing, a best-practice approach will also include the use of best-practice protection methods such as multi-factor authentication, password managers, keeping browsers up-to-date and only using reputable plug-ins.
Replicating security threats using simulations to catch the business off-guard can also be an extremely effective way to build and test resilience. Likewise, it can also serve to highlight in a safe setting just how convincing cyber criminals can be, making it an important part of ongoing security training.
One method that’s growing in popularity is ‘red teaming’, an attack simulation that sees security experts attempt to breach networks and systems, as well as use social engineering tactics via email and social media. They will also try to gain physical access to premises and devices to expose and highlight vulnerabilities. Depending on the individual requirements of the organisation, red teaming may also be goal-led and focus on bring-your-own (BYO) devices to gain access to the corporate network.
By employing a trusted and accredited third party to conduct such realistic simulations, organisations can be confident that any potential vulnerabilities are soon identified and swiftly rectified.
Unified defence
Like any other aspect of the digital landscape, cyber security threats are evolving at pace. While awareness building, risk assessments and audits are all important steps organisations can take to reduce vulnerability, in order to properly build up cyber security resilience, companies must assume that an attack will happen and ensure all stakeholders understand how to play their part in preventing and responding to threats.
In today’s digital society, any interactions on social media may be seized upon and exploited by cyber criminals. In becoming more aware of and alert to potentially fake friends on social media and the many other cyber security threats they may encounter, stakeholders at all levels of the organisation will be far better equipped to do their part in defending it.
