[gained] the ability to request new passwords for several other accounts.” The destructive cycle continued. In the aftermath, Honan did some sleuthing and reported later that he “[knew] how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.”
Essentially, the cybercriminals called Apple Tech Support repeatedly until they found a technician apathetic or naïve enough to allow them access to the accounts without ever using a password or correctly answering a single security question. Apple’s cloud security issues were not caused by a technical failure.
The “hackers” made it in on human error alone.
Not Just a Twitter Account
As seemingly benign and insignificant as a Twitter account may seem, these hackers were able to drastically affect Honan’s life causing him lost data and weeks of recovery. Now imagine the same craftiness and exploitation pitted against your company’s highly sensitive enterprise data. It’s not a pretty picture.
The sad fact is that regardless of how much you vet them or trust in their characters, uneducated employees can be just as susceptible to spear phishing as that hapless Apple Support technician back in 2012. Your company is only as secure as the employees you keep.
These concerns are not limited to employee call centers or IT work forces. Rather, anyone with access to sensitive data of any kind poses as an infiltration opportunity to hackers. You would be appalled at how seemingly easy it is for cybercriminals to pose as someone from upper management needing a password reminder through internal email accounts. Or pose as off-site engineers calling to request critical asset data due to connectivity issues.
Your human assets may mean well, but many individuals completely miss crucial social engineering cues and end up compromising the integrity of your company’s defenses.
Wax On, Wax Off
Thankfully there are ways to mitigate these human vulnerabilities, but they are by no means a quick fix or a one-time-purchase answer to your cloud security issues. Your employees and upper management alike need to be made aware of the liability that comes with any level of data access. The carelessness of one endangers the many.
Simply put, effective security requires extensive training and a willing dedication from all involved—you cannot solely rely on software and technology to save you.
Repetition also matters. Employees again may have excellent work ethics, but the consistency of the daily grind can produce apathy and carelessness in even the most dedicated of staff members. Reminders, consistent training, and accountability go a long way to improve your company’s overall security status.
Ironic as it may be, even though technology was invented by human intellect, technology alone cannot save humans from that same intellect (or lack thereof). The answer is technology plus competent human interfacing. Over the next several weeks, we will be discussing the crucial nature of implementing adequate employee training, establishing robust processes, and ultimately choosing the best technology for the job.