Digital profile of the organization. What to look out for regarding information about your company?
2021-02-03
The digital era brings opportunities as well as threats. and not only in the ordinary digital life of individual users, but in the digital presentation of business entities. The profiles of a company and its employees are becoming increasingly used as a valuable source of information for hackers who want to steal resources or know-how. How do they do it and what should you look out for?
Digital profile
Anything that a company employee writes about themselves in the virtual world in their free or work time (be it social media, e-mails, online surveys, or professional profiles) can serve as a piece of a puzzle which can help an attacker detect the weak and vulnerable sides of its victim, in this case, the company.
Open-source intelligence is a general term for a set of methods that attackers use to collect information about their target in order to acquire a profile through which they can steal money or other valuable assets, such as know-how. They can obtain substantial information from what users reveal about themselves on the internet, including their residence, employer, place of work, but even their work schedule or details about work processes.
It is not uncommon for users to upload photos on their professional or personal profiles; such photos can reveal the kind of internal software a company uses, its physical or virtual security systems and how log-in methods into company systems are implemented. In extreme cases, social media users take pictures of themselves with employee access cards around their necks. They don’t realize that the attacker can gain access authentication keys as well as information about the employee and the card issuer.
Many people make the mistake of not separating their personal and professional digital traces. Employees, but also managers and heads of offices use their company e-mail addresses or identical sign-in information during their personal digital activities as well when subscribing to newsletters, social media, or responding regarding participation in events.
In extreme cases, social media users take pictures of themselves with employee access cards around their necks. They don’t realize that the attacker can gain access authentication keys as well as information about the employee and the card issuer.
security threats for companies
Companies themselves negligently create digital profiles. They underestimate the sensitivity of information in their marketing content and presentations frequently contain details of their work procedures or the environment in which they work. The information is available from published photos or PR reports in which they divulge information about company software solutions and the status of ongoing projects.
Companies also underestimate the threat of attacks in the form of external access. For example, they make internal files and databases available to external users who are in no way vetted and will not be seen again during interviews or internships.
Through the open-source intelligence method, the attacker will prepare a detailed profile of the company which they plan to attack. They can blackmail the company, steal money from company accounts or acquire know-how and other information.
7 principles for a secure digital profile:
1. The least amount of information possible
Do not publish unnecessary personal and company information on the internet.
2. Limited extent of information
Do not provide complex information. If you are presenting the results of a project, do not reveal how and where it was created. If you are talking about profits, achievements and property, do not reveal anything about where they are and how they are protected.
3. Do not share security information
Don’t mention parts of your login usernames or passwords in other login credentials on the internet. Watch out for photos which could reveal security devices and protection regimes (such as security cameras or antivirus software)
4. Do not make systems available to unauthorized people
Do not let “outsiders” into internal company systems without verifying their identity. Do not allow them even seemingly harmless accesses to the company computer net.
5. Do not connect personal life with company information
Keep your personal and company content separate. Do not publish details about where you work and what you do in the same places where you present your private life. Do not use company information during personal activities.
6. Maintain data hygiene
Clear data from your databases. If you are signed-in on social media you no longer use, request the deletion of your information. If you have e-mail services you no longer use, delete them.
7. Separate PR and sensitive information
During a company presentation display only the necessary details about your work environment and modes of operation. Don’t show off when presenting achievements. This behavior attracts attackers.