Ferrum Technology Services Blog
How Data Gets Stolen (Even When Security Measures are in Place)
We talk a lot about best practices that you and your entire workforce need to follow in order to protect yourself, your business, and your customers from data theft. From ensuring that you have strong, unique passwords and making sure two-factor or multi-factor authentication is applied to all of your accounts, to keeping your endpoints updated, a lot of prevention is considered the barest necessities of cybersecurity. It’s worth understanding just how clever cybercriminals are, and just how easy it is to slip up and lose control over your own information.
A Short Recap of Some Critical Steps to Take to Keep Yourself (And Your Business) Safe from Cyber Threats
Let’s start by going over some of the fundamental steps you should be taking to keep yourself, your business, your customers, and your employees safe online.
- Always use strong passwords, don’t use common words or personally identifiable information like birthdays, pet names, relative names, etc.
- Don’t use the same password in two different places.
- Don’t store passwords anywhere but a secure password manager.
- Use 2-factor or multi-factor authentication whenever possible.
- Be aware of who or what you grant access to certain accounts (like using your Google, Microsoft, or Facebook account to log into other sites).
- Keep computers, laptops, tablets, smartphones and other devices updated.
- Use modern, trusted antivirus software and keep it up-to-date.
- Be careful what you click on, download, and open. If it looks suspicious, it could be dangerous.
- Always back up data, and ensure that backed up data is transferred and stored securely.
- Don’t connect to public Wi-Fi without a VPN.
- Don’t store data on your local machine at work, store it in a location that is getting backed up (like shared folders or drives).
- Think before you click—emails, text messages, instant messages, and social media posts could have links or attachments that are dangerous.
By no means is this a definitive list, but it is a general good start for protecting your data and personal information.
Now let’s assume that an individual is more or less following all of these steps. They are taking many precautions and reducing risk, but not eliminating it entirely. Let’s talk about how the bad guys can still get around all the defenses.
If They Want to Get In, There is Probably a Way
Let’s just take one theoretical soft spot in your cybersecurity armor and see just how far we can go. For the sake of this example, I’ll roleplay as the hacker. Maybe I know you, maybe it’s personal, but probably not. Either way, if I identify you as someone who has a lot of accounts and activity online, I know you are worth exploiting.
It might start like this. Some random data breach from some online service (we’ll use LinkedIn as an example), gives me your name and email address. This particular data breach happened in 2021, where LinkedIn had user data, including passwords for accounts, stolen and shared online.
Here I am, with plenty of free time on my hands, and a list of millions of emails and passwords that someone stole from LinkedIn and dumped publicly on the Internet.
I pick your name from the list, and start to try to cause trouble.
I discover that you were diligent and changed your LinkedIn password. I can’t get into your LinkedIn account, but I can see you are a business owner. “Jackpot!” I think to myself.
I look up your business online, I read up about you. I look at your social media and see who you associate with, who you do business with, and follow the clues around. Within a couple minutes I have a pretty good impression of you and what you do, a list of employees, and a list of clients. I set those aside for later.
Meanwhile, I try your old LinkedIn password in a few different places—Facebook, Twitter, Amazon, PayPal. Looks like you are good about using unique passwords. You won’t go down that easy, but I can keep looking…
The last place I try to log in is your website. Oh look! It’s a WordPress site, which means the login URL is typically /wp-login or /wp-admin unless you’ve customized it. I get to the login screen, and… nope. The old LinkedIn password doesn’t work. Bummer, I could have had some fun. Still, I’ll save the login URL in my notes and come back to that another time.
I do a quick lookup of your domain name and I can see where it was registered and figure out what hosting company you are using. I pull up a bunch of tabs in my browser and pick up the phone and call your web host and follow the phone prompts to get support.
Me: “Uh yes, hello, I have an account with you. My normal web guy is out sick and I really need to get into my website and update a page. I was wondering if you could help me.”
Web host: “Absolutely sir, can you give me your account number?
Me: “Um… boy, I really don’t know where that information is…”
I proceed to give the support rep information about you that I can find on your public social media accounts and website. I end up giving them your date of birth and they are seemingly convinced that I am you.
Web host: “Well, sir, unfortunately your hosting account with us doesn’t include support for your WordPress installation, but I can walk you through getting access to your account’s control panel, and you can use the tools there to make some changes.”
I work with the gentleman, quickly getting logged into your web host. He’s nice enough to give me a one-time login and add an email that I control to the account. He’s still feeding me information and providing customer service over the phone while I’m kicking you out of the account.
I quickly realize your web host also manages your business domain name, so I point all company emails over to my own inbox. I could float around like this for a few months and just collect information—learn all the accounts you are attached to, look for patterns, glean any sensitive information without ever leaving a trace…
But instead I’m just too excited! I hop onto your Google account and request a password reset. It goes to your email, which I now see. I repeat this for PayPal, Facebook, LinkedIn, Twitter, and try a few major credit card companies until I get in a few. Every so often, I’m getting stopped by 2-factor requests, but since I have full access to your email, most sites and accounts tend to think that’s enough. You’ll start getting suspicious as your phone starts sending you 2FA codes, but by then, I’ll already have more control over your online life than you do.
I already own your business website, your domain name, and all of your emails…
And you get the idea.
There is No Easy, Bullet-Proof Cybersecurity Solution
Strong cybersecurity requires diligent effort and even then, nothing is impenetrable. Our little dramatization above got lucky and took the nuclear option, but usually theft is much more subtle than that. My goal was to explain just how quickly someone can go from knowing very little about you, to knowing nearly everything, and using that information against you.
That’s why it’s important for business owners to take cybersecurity seriously, and encourage and train their employees to do the same. Each employee you have is yet another entry point for cybercriminals, and a chain is only as strong as its weakest link.
If this has you spooked, let’s have a conversation about your cybersecurity. We can help guide and train your employees, and use network policies to ensure best practices are being followed when it comes to your business data. Give us a call at 847-697-3282 to get started.