Phishing and GDPR compliance
By Paul Brennecker, Principal Consultant, CISM | PCI QSA | PCI PFI | PCIP
There is a saying that a chain is only as strong as its weakest link. This, unfortunately, is true. When a company manages and handles sensitive customer data it does not matter how robust the security measures if one unsuspecting employee inadvertently opens up the system to hackers. Yet the danger this presents is sometimes underestimated.
Failure to protect customer data adequately already results in serious sanctions and fines under the current Data Protection Act (DPA) legislation. In 2016 twenty-one fines were levied in the UK totalling £2.1 million. When the General Data Protection Regulation (GDPR) comes into effect next May, however, things will become even tougher. With a theoretical maximum fine of up to £500,000 or 4 per cent of global turnover, these sanctions alone have the potential to bring a company down.
A common data security breach is through what is known as phishing. Defined as an attempt to obtain sensitive information such as usernames, passwords, and credit card details for malicious reasons, by disguising as a trustworthy entity in an electronic (or telephone) communication. They mislead unsuspecting individuals into giving hackers a foothold in a corporate system.
Typically, they will appear to come from a popular, well-known or reputable-sounding company. Microsoft, LInkedin and Google Drive have been subject to their names being hijacked for fraudulent purposes. Then the cybercriminal will set out a fictitious issue with a user account, threaten that action will be taken if it is not remedied and provide a link to click. At first glance the corporate branding, email address and link will look genuine. This type of phishing email is indiscriminate in its approach and is out to catch any unwary soul who takes the bait.
A more worrying trend is the ‘Spear Phishing’ attack, where a specific individual or number of individuals is targeted within an organisation. These people are often in positions where they will have access to company sensitive information or records, such as the finance or marketing teams. With a little research, the source of the spear phishing attack can ascertain the name of a senior member of staff within the company and trick the recipients into believing it has originated from the boss. These emails will be positioned to members of the team further down the chain in order to gain further information or even to directly ask for payments to be made. Once you understand the anatomy of a spear phishing attack, you can see why having an organisational chart and email book becomes invaluable data to the attacked. This may have been gathered as part of the initial phishing attack, through the use of malware injected onto email or active directory servers.
So – If an unsolicited email of any type appears, it should not be opened. If it is, it is worth checking the spelling and grammar. Unlike professional companies who use copy editors to check their content, cybercriminals are not known for written English. Links should also be checked. By hovering a mouse over the link (while not clicking through) an entirely different web address may appear. All requests which lead to requests for sensitive account information should be treated as phishing attempts. Genuine companies never request password or bank account information online. Yet, if an employee has got to this stage it is likely that a malicious attack will already be underway.
Training staff how to recognise and deal with suspicious emails is just one element of a robust information security plan. SRM’s specialist consultants have the experience and expertise to manage all elements of information security from employee training to forensic investigations; from penetration testing to preparing for GDPR compliance. To discuss any aspect of information security please contact us.