Exclusive: Low-tech threats in a high-tech world

Imagine arriving on Monday to the office and discovering that your network is under attack, all your important files are unavailable, there’s a large amount of money being requested and a ticking clock situation. What will you do?

Ransomware has proven to be a common and lucrative criminal-enterprise. Ransomware is a type of malicious software that blocks access to the victim’s data or threatens to publish or delete it until a ransom is paid. Ransomware and similar cyber-attacks have exploited and continue to exploit, companies and individuals around the world.

So, what can be done to prepare for the not-so-rare chance of walking into work on Monday only to stare at a computer screen that is demanding money and unable to access any files? The best response is no response because you have prepared for the attack in advance as you assess the scope and reach of the attack.

However, mitigation does not end with just enhancing your technical security measures. According to the 2020 data available, a majority of attackers gain access through employee error by social engineering and/or phishing tactics. The prevalence of these attack methods actually provides low-tech, less costly opportunities to mitigate data breach risk. In other words, you don’t have to spend millions in enhancing your IT infrastructure to have a meaningful impact on your cybersecurity posture.

In fact, you can close a significant gap in your security through low tech (and even no tech) protocols that improve your end user awareness, training and a comprehensive approach to employee policies and procedures. Threats such as visual hacking, insider threat, CEO fraud, will often have an element of low-tech at some point in the process.

So, let’s discuss some low-tech threats that can have a high value impact and also some steps we can take to mitigate those risks:

Visual hacking

Visual hacking is a low-tech method used to visually capture sensitive, confidential and private information using cameras from devices and security footage for unauthorised use. After all, a hacker often only needs one piece of valuable information to unlock a large-scale data breach.

Insider threat

Data loss as a result of employee behaviour should be a major concern for board members and security professionals today. Careless employees, particularly those that have access to company networks through BYOD – the practice of allowing the employees of an organisation to use their own device – can easily compromise company data or intellectual property and may be leaking data without even knowing it. A second category, disgruntled employees, can also pose a serious threat to proprietary company information.

Social engineering

We can easily get hung up on high-tech scams and fraud because they seem more interesting. But the truth is, modern cybercrime is as deeply rooted in the manipulation of human behaviour. Rather than using high-tech hacking techniques, social engineering attacks happen when a malicious party gains access to company systems or data by exploiting human psychology.

Once the malicious party strikes, it’s not hard to penetrate deep into a company’s networks and databases. Today’s social engineers are extremely savvy, often studying companies prior to launching an attack, becoming familiar with their activities and lingo while projecting confidence and using reason to disarm social engineering victims.

There are several ways you can help to mitigate the effect and impact of a low-tech attack:

• Be vigilant: Many low-tech attacks rely on careless behaviour. For example, be careful about giving out passwords and other personal data, especially in public places.
• Self-censor: Do not ask Google anything you wouldn’t be comfortable sharing publicly.
• Use a privacy screen in public places: This can help prevent “sneaky peeks” when you are working on your laptop.
• Covering cameras with tape unless they are necessary for tasks such as video conferences.
• Use two-factor or multiple-factor authentication: This may not prevent a low-tech attack, but it can help mitigate the outcome of one.
• Disconnect unsecured workstations: Any computers that are left unattended should be disconnected wherever possible.
• Use security awareness training: Many low-tech attackers rely on staff and other workers not being aware of the risks of password hygiene and so on. Ensure the privacy awareness covers all aspects of company security and all staff.
• Create and enforce a Clean Desk policy.

Low-tech social engineering is about the manipulation of people. This manipulation can be an end in itself, but a low-tech threat can also be a feeding mechanism into its high-tech counterparts. As I stated in my recent speaker engagement during the SYNTYCHE 2021 Hacker Challenge, at this point we have to ask ourselves: What are we willing to sacrifice? Is the comfort of having everything connected worth the risk of having your vulnerabilities exposed?

If we create a corporate culture that only promotes a faster-bigger-cheaper mentality, employees will behave recklessly and haphazardly and not take the care to take the proper network hygiene processes.

As we have seen with the rapid expansion of digital transformation and digitalisation, there is an acute shift from hacking networks to a focus on hacking people. The tactics used to hack people are not highly sophisticated and can encompass relatively stealth threat vectors, making them hard to trace. It seems simple, but it’s important not to overlook the low-tech threats in our high-tech world.

By Peter Backman

You can connect with Peter on LinkedIn here