The handling of personal, private and confidential data is starting to be a hot topic. Our privacy is important to us and it is very clear that with all the benefits an online world brings we face an ever-increasing direct and indirect threat to our privacy. Social networking has improved our ability to connect with staff and customers in an unprecedented way and the all pervasive email is so embedded into our daily business and home lives that to look at alternatives would be unthinkable in the short to medium term. Email is here and we are addicted to it.
So what’s all the fuss about? The main problem we are seeing today is data leakage. Small amounts of data being leaked at a time through various routes may seem innocuous at first until one starts to look at the threat of aggregation. The news on what the NSA collects and no doubt many other government organisations across the world is now old hat. Outrageous? Possibly but for every legitimate government spying on its (or other’s) citizens for the purposes of national security there are no doubt uncountable nefarious organisations collecting the same data using the same techniques out there with more sinister plans. The only difference is that you cannot vote out the bad people.
If I start to outline the data available on the average person (this is without any illegal activity or hacking or interception) you can start to see the problem. For many people in the UK you can find their name, address, date of birth, telephone number, their partners and family, their car, the bank they are with, their friends, who they work for (their job), what their education is and where they were educated and in many cases much more. This is data that they have inadvertently published or has been published by third parties either carelessly or on purpose. Even photographs published can leak data (location data is often in the file itself and is why the army does not like photos of soldiers published in social media in case location data is present).
What can one do with this data? Well, many things. The first is the standard email scam. We all laugh when we see the Nigerian prince needing to repatriate $10,000,000 dollars and needs your cooperation and bank account details for which he will amply reward you. But these scams are starting to use much better socially engineered approaches. You will now have all witnessed the parcel delivery firm that emails you to say you have a parcel to collect, click here. Better than the Nigerian Prince scam. Lots of people click on the parcel email because it is believable. The link is either to a fake site or attempts to introduce a virus onto your computer (if successful its game over for your computer).
But what can I do if I have the data I listed above? How about an email introducing myself as a member of your year at your school naming a few of your friends, having the right dates you were there, potentially teachers names etc. Many people will find such an email very believable simply because it has some personal data that most people do not realise is public. The email notifies you of a school reunion. Next email asks you to pay for the tickets etc. See how this might work?
How does this apply to HR? Well HR has a wealth of personal data in its systems. Many outsourced HR systems are now self-service and many are outsourced to the cloud. Not in itself a major problem. But how do your staff log in? User id and password. What if they forget their password? Like most online systems, it will email you a reminder. In clear. Anyone monitoring email now has access to your data. How many HR systems email copies of payslips? You can start to see that we trust the internet far more than we should. Email leakage is a major threat not because of the content of any single email but the combined effect of small amounts of data can make a radical difference to your staff’s and customer’s personal risk levels. How many questions are asked to access a bank account? How many of the answers are available online? For many it is all of them.
Cyber crime is growing and it is no surprise why. The ability to commit fraud and steal good and money from the safety of a foreign country is very tempting. The more data criminals can gain on individuals, the more chance of a successful outcome and the chances of being caught are very very low indeed. Take the following scenario. Most people book their holidays online these days. What happens after the booking? The travel company emails the client with their travel dates and often name and sometimes address. Cyber criminals who intercept this email can easily find your address, whether you live alone or not, who your neighbours are and now they know when you are away from home. They go online, look at Google street map and can see access to your house and views of the front of your house to see what locks you have, whether you have alarms etc. A quick check on Zoopla and they can often get the layout of your house and in many cases pictures of your possessions inside your house from when it was last on the market.
How many HR departments also manage the travel aspects for their staff? How many of those travel organisations email the staff itineraries for their travel by email in clear?
The threat is real and the tools to protect email are now here, cost effective and easy to use. Take a look at your Information Assurance processes and ask yourself this. Is my Information Assurance risk looking at the risk of a breach to my organisation or is it looking at the risk we are causing to our staff and customers. If it is only the former, look again and start to think how your actions are affecting the risk of your staff and customers to cyber crime.
IMAGE CREDITS: http://www.opusfidelis.com