Anyone can be a target and everyone should make an effort to protect data and information. The methods used by the aggressors are unique and firewall is not the only solution.
The uniqueness lies in social engineering tactics i.e gaining information directly from a person. This means, instead of getting into the system to gain information, the aggressor will use various other means to source relevant data from the person itself. The aggressor plays with the emotions of the person by encouraging them into a conversation. Till finally taking advantage of the situation the by data & information is collected .
Managing own database: Although the law protects data privacy, it is the onus of the individual how he can create a transparent circle of data security itself, by ensuring practices to:
Observe Purpose - before sharing any data, information
So as to Limit - The data shared with others to be limited to purpose.
Before giving Access - to storage. For example - giving access to any file in the cloud/drive to be withdrawn when the purpose is solved.
Ensuring safety to its Storage - The storage of data into pen-drive and hard disk is the easiest target, as often people forget to clean up data from non-usable devices.
An aggressor uses different means to gain information. The easiest is to access details quietly from office environment. The details of employees can be secured from social media, such as location of work, organisation, the person's position and even the peers' detail can be collected within a few hours of search.
The culprit is curiosity.
The companies having multiple branches or offices in different location are more veritable to such attacks. The reasons are;
1) Movement of employees from one location to another,
2) Newly recruited employees, and
3) Employees leaving the organisation.
A natural attrition in manning structure makes it difficult to keep a track instantly. If proper care is not taken while replying the email, the information and data is exposed to outsiders. This can be checked by not sharing any data or information on the private email of employees.
I've come across an incident when on one weekend, an assistant had received an email by an imposter posing as his superior asking details on personal email-id. The imposter pretended to be in a hurry for the details by writing that 'he is traveling and cannot access official email'. He created a sense of rush and importance in the assistance's mind.
It is easy to be a target and unable to handle such situation. One must first check the whereabout of the person, either by direct contacting him to his personal phone or through other means. However, if there is no contact then 'none of details' must be shared. Any such incident should be immediately informed to management and also IT department so that they can ensure data is secured. This was real life example, an attempt by data-attacker. 'Caution is necessary'.
Another trending way used by the aggressor is posing as recruiter and calling on the office landline. Unknowingly, many often tend to reveal information which a aggressor needs. It always begin with question such as 'tell me about yourself' and then casually moving the conversation to questions relating to employment history, details of family members, names of the superior's, their contact details, etc. A data-attacker can be anyone, and not limited to the cyber world. The best way to deal with such calls is to first ask them to send an email. With this, the detail of the caller can be self-checked and reconfirmed before further discussion. Information is as precious as assets thus, not to be exposed unnecessary.
Information is gold, protect it....
コメント