It was 5.40pm and my phone was ringing. I didn’t know it at the time but this was going to be one of “those calls”, I’d had one last year too. My friend had just left the bank after being grilled by them for 5 hours. The day previously someone had entered the bank, confirmed their identity and proceeded to clear out all her bank accounts and investments. The bank had thought that the thief had come back to finish off the job, thinking it was her they grilled her for 5 hours. The bank, in the end, managed to recover about half of her money but the rest had gone.
We had a chat and it came to me quite quickly that over the past month or so, someone had been slowly gathering information on her (hindsight is a terrible thing). Her phone went missing for a day only to reappear, the strange phone calls from “Microsoft Support”. All of which may have rung alarm bells for someone who had been trained in CyberSecurity but unfortunately she hadn’t, but that isn’t surprising. Only 15% of employees are trained in CyberSecurity.
Experts are saying British businesses are not doing enough to protect themselves. Cyber attacks are exacting a heavy toll on British businesses. Research company Cebr last year reported £34bn of increase IT expenditure and lost revenue due to CyberSecurity. The UK Government found boards of half of FTSE 350 companies only hear about cyber incidents only on an occasional basis or when something goes wrong.
Salesforce has a whole host of security measures in place to stop or reduce the risk of hacking, and rightly so. Security is incredibly important to them, one hack or perceived hack to ruin Salesforce overnight. But security isn’t full proof and the damage can sometimes harm a companies reputation maybe more than the actual attack. TalkTalk a UK cell phone company was hacked last year and lost 156,000 customer credit card and account details. Last week they announced, a year after the attack they had lost 101,000 customers and their profits had more than halved as a direct result of the hack.
A recent report of UK companies showed that nearly half (46%) of small business owners have no employee responsible for data security and more alarming 27% have no process or policy at all. But it’s not just isolated to small companies. Last year saw a conservative estimate of 487,731,758 records (based on public information) of data leaks from companies like Hyatt, Hilton HHonors, Costa Coffee, Mumsnet, 56 Deans Street clinic (that leaked 780 HIV patients and the NHS Trust was fined last week £180k) and JD Wetherspoon nearly 700,000 personal details were stolen.
Employees are now the weakest link in CyberSecurity
Now hackers have changed tack. As dedicated IT security hardware and software has increased in companies, hackers are now turning to the next weakest link. Employees! Several years ago a book opened up this world to the public; it was “The Art of Deception” it documented how social engineering techniques could be used to extract information from employees. All it takes is one small slip up from an employee to set off a chain reaction which could result in a cyber attack.
According to the PWC Global State of Information Security Survey, 2015, employees remain the most cited source of security compromise (over 55%), and incidents attributed to business partners also climbed 22 percent.
At last week’s London Salesforce WorldTour I demonstrated how a small release of information could ultimately result in an employee trusting a hacker and providing information. Here are some of the ways:
- Exploiting Public Information: Job boards have a wealth of information on a company, what technologies are used in a company as well as names of internal departments this can be invaluable to a hacker to gain an internal knowledge of a company.
- Phishing Emails: The hacker uses official-looking emails based on the public information to get the user to fill out an online form. The form may only just ask for the employee’s name and username and nothing more. Giving just your username isn’t a problem is it?
- Social Engineering: The hacker users the information they have received to convince a different employee that they are an employee to build trust with their target. With the information collected, they ask the target employee to confirm “their identity” by looking up their username on the internal network to verify that they are an employee. Now the trust is built with the employee they can continue with the next phase of the attack which again could be a very small step in a much larger plan of attack.
Get the skills to protect yourself online
But it’s down administrators and developers to protect their system from their employees? Not anymore! Attacks are becoming more sophisticated. In my opinion, EVERYONE who uses the Internet should get at least basic CyberSecurity training to protect themselves online as well as ability to protect their company!
One of the best free online courses I’ve seen online has been created in collaboration with GCHQ (British intelligence) and is accredited by the Insitute of information Security Professionals (IISP). It’s a FREE 8-week course that gives you the skills to protect yourself online, no strings attached. I mentioned this at a recent user group and several people are now doing the course and loving it.FREE CyberSecurity course
Take the User Authentication Salesforce Trailhead
Take the User Authentication trailhead on Salesforce Trailhead. This is a great module that introduces you to two-factor authentication in Salesforce. It goes on the premise that you can’t login to Salesforce without something you know (your Salesforce Password) and something you have (your mobile/cell phone).User Authentication Trailhead Module
My Top Security Tips
- Switch off notifications on your cell-phone lock screen; Hackers realise that people are using their phones as 2-Factor Authentication. Google, Salesforce, PayPal, etc. all can send text messages with a code in them to your phone before you can login in Salesforce. This is a great extra security measure. But if you allow notifications to appear on your lock-screen sometimes the hacker doesn’t even need to know the code to your phone as the 2-factor auth code is displayed on the phone without needing to be unlocked.
- If you haven’t taken CyberSecurity training do it; Even if you “think you know it” do it! I guarantee you will learn something to help protect yourself as hackers are becoming ever more sophisticated and are constantly adapting.
- Learn about switching on two-factor authentication & IP Restrictions on your Salesforce org; Checkout the Salesforce module above.
- Tell others; Without getting the word out, more people could lose their life savings to hackers. Please share or tell others about the free online training.