Cyber, Risk, Security

Gone Phishing……

By now, you probably know what links the political, celebrity and technological heavyweights Barack Obama, Joe Biden, Kim Kardashian, Elon Musk and even Bill Gates. That’s right: their Twitter accounts were hacked and replaced with a message asking their millions of followers to donate bitcoins into hackers’ accounts, for which they would reportedly double all donations, as part of their commitment to ‘give back to their community’.

Upon hearing this news, many of us were filled with the same type of anxiety and desperation, asking ourselves the same question: if it can happen to them, with all their cybersecurity and knowhow, what hope do I have? How can I protect my personal and business accounts, yet still maintain vital social network accounts open, as a key part of any modern business?

Assess the risk

Perhaps the most important thing to do in this situation – as in any moment of danger – is to assess the risk and analyse its origin before reacting. Is my account and my company’s information at risk? Yes.

So now, the reaction: what can I do to protect myself? And how can I learn from others’ mistakes in order to prevent problems for my company, before they happen?

For this, a brief peek behind the headline gives us most of the answers. Twitter has now confirmed that the attack was caused by human error, as part of a spear-phishing attack on its employees, which gave the criminals a ‘back-door’ entry into its users’ accounts.

It’s worth noting that Twitter employees are no slouches with their use of technology, but it seems that it was good old ‘human vulnerabilities’ (quoting Twitter’s own comments), rather than technological faults, which the hackers exploited so efficiently.

Types of phishing

Phishing normally occurs via email or text message, in an attack designed to trick people into handing out information such as passwords by encouraging victims to click on fake links to re-establish or reactivate accounts or verify login information. Spear-phishing is a more targeted approach, often aimed directly at people with possible access to highly valuable data within a business or organisation. This message normally appears to come from a trusted contact, and often includes ‘heavily customised’ personal or specific information to make it more convincing. However, phone calls – known as vishing – can also be used, as seems to be the case in the Twitter hack.

Strengthen your weakest link

So, we come back to the same question: how can I protect my company and its information? How can I guarantee my staff don’t fall into the same trap as Twitters’ employees? The answer, as always, is prevention: risk analysis, consequent training and clear protocols for all.

Here are a few clear tips that can be put into place immediately:

  • Install and update antivirus software, firewalls and anti-phishing programs on all company and personal computers where staff access company accounts or information.
  • Never follow links from emails, messages or attachments looking to confirm information. Reputable businesses never send this type of requests.
  • Open all websites directly from your browser and check the https security certificate of each page you are entering.
  • In case of any doubts, ask employees to contact the relevant company directly through their website or telephone number previously registered.
  • Establish a list of sensitive information and require 2 staff members to sign off before transmitting such data to any third parties.

As any criminal knows, you’re only as strong as your weakest link. And it’s a criminal’s job to find your weakest link and exploit it, before you have a chance to shore it up. So, as Twitter put it: ‘this was a striking reminder of how important each person on our team is in protecting [us].’ The solution is found within the source of the problem: the human element. Provide sufficient training and implement strict protocols for every staff member.