How to Avoid an Invisible Threat to Your Organization
We read a lot about ransomware and other cybersecurity threats. However, these aren’t the only threats to an organization’s information security. A social engineering attack can also bring down an organization.
Here’s the kind of threat that exists today that your readers may not have considered. Forewarned is forearmed.
Information was stolen - but how?
In Sam Levy’s line of work, he gets to see kinds of threats that few of us ever think about. As President and CEO of Condor Security Enterprises and YOOSEC Technological Solutions, here’s an example of the lethal but invisible security threat an organization can face.
A large European electronics and telecommunications company called on his expertise to solve an information security problem. For the sake of confidentiality, we’ll give the company the made-up name “Elias.”
As Levy remembers, Elias “…just couldn’t understand how so many trade secrets were ending up in the hands of their competitors.”
The company watched as its patent applications, trade initiatives, information on key employees, and product initiatives were becoming known to its competitors. The competitors were viciously exploiting Elias’s normally secret information.
Management at Elias couldn’t believe that they were being hacked. They had invested in top-of-the-line cybersecurity, and further, they were hyper-vigilant, maybe even best in class, in protecting their digital information. They knew the information was being stolen, but they couldn’t figure out how.
Social engineering made Elias vulnerable
Elias had a non-cyber vulnerability, one that proved just as harmful as a bad cyber-attack. For Elias, part of the problem was that they had been in business for 150 years and as part of their culture held the old-school belief that their competitors would act as honorably as members of Elias habitually did.
Members of Elias had trouble even suspecting that their competitors would engage in industrial espionage. This meant they hadn’t considered the dangers from social engineering attacks.
They were deeply shocked when Levy was able to show them what their competitors had been doing.
1. When Elias executives were traveling by plane to their different global offices, industrial spies made it a practice to book seats directly behind the Elias people and would listen in on their conversations.
2. The industrial spies would attend conventions and target Elias personnel. Sometimes they could get the information they were after from something as simple as people being too forthcoming during a Happy Hour after one too many drinks.
3. The industrial spies also practiced a longer-term approach. When they were targeting an employee, they’d get to know what kind of guys or girls s/he liked. They’d also learn about his hobbies. They knew about his home situation. In the course of months or even years, they’d become good friends with their target. The target would no longer have his guard up, and bit by bit, the target would unintentionally divulge information on products, patents, and strategies.
Levy points out that even one information thief can do endless harm to an organization. company. However, often it’s not just one. In a $150 billion a year company like Elias, there can be 20 professionally trained, highly paid spies at work.
Levy points out that if 20 people are using social engineering tactics to get your organization’s informational crown jewels, probably not all of them will be successful. However, even if only some of them connect, the harm to your company could threaten not just its competitive position but its viability.
Levy has devoted decades to combining advanced security solutions with innovative technologies to help companies predict, forestall, or rapidly deal with these kinds of breaches. Based on his experience, he recommends that any organization with proprietary information do the following:
1. Don’t assume, “It couldn’t happen here.” Bad guys are out there, and they will do everything they can to operate under your radar as they steal your organization’s secrets.
2. Take into account that risk can rapidly become a threat which spreads both horizontally and vertically throughout your organization.
3. Involve all the people in the organization. Give them human and technological tools to spot risk.
4. When recruiting new people, be aware of the possibility of industrial espionage. A disloyal employee is particularly a threat, because as Levy points out, “The person has to do something very, very wrong for you to find out.” (Question what do you do or what questions do you ask to rout out the spies?)
5. Take advantage of the most modern human and technological tools to help everyone in your organization see and respond to the normally invisible threats.
Levy concludes saying, “It's a subtle war that is becoming more and more part of our reality. We can’t address it if we’re not aware of it. But when we can identify the threats, preferably in real-time, we can control the situation.”
*Mitzi Perdue is a speaker and 52 Tips for Combatting Human Trafficking. Contact her at www.MitziPerdue.com.
Mitzi Perdue is a journalist reporting from and about Ukraine. She has visited multiple times, has many local contacts, and often focuses on war crimes.