Do you know who you are talking to?

Today’s anecdote – always know who you are talking to… wait… hang on… isn’t this an IT article? Well yes it is, but even when you are sat at your computer you want to ensure you know “who” you are talking to, and that “they” should know the information you are typing in.

This all starts with a recent installation of some signature control software at an office in Sheffield, you know the kind of thing, a platform to control all of your staff signatures centrally, to make sure all of them look the same, have the relevant information on them, update all of them with any current pertinent information, all very useful to keep on top of what is otherwise a long, dreary and often niggle filled process to achieve email appearance heaven.

So, as part of this installation, a small piece of software needs to be installed on every machine to change the signature appearing in outlook. This piece of software then asks for a user’s Office 365 username and password to connect to their mailbox and pull information required, such as phone number, email address, job title, that kind of thing and insert it into the signature. All above board so far and no tale of woe or foreboding.

Where this becomes a tale of caution is when the software pops up that little box asking for your credentials for office 365 – the keys to your little cloud kingdom. At this point I was re-introduced to the fact that some people just put their username and password into anything – like ANYTHING! Several users gleefully entered their details without evening questioning what this new pop up on their computer was, or where their information was going.  In conversation later it was found that “I didn’t know what it was, the computer asked for it” was justification enough.

So in this case, it was a legitimate application and use case, so no harm was done, but it does go to illustrate how easy it is to harvest details – if you can get a computer to ask for them (and there are a lot of ways you can do that) then someone will supply them.

This really is a staff awareness issue. Like it or not, the modern workplace more and more requires us to use technology, and whilst some of us are not as “techy” as others, we still need to understand enough to keep us safe. Kind of like when we were teenagers in school, and we had those hilariously embarrassing sex education classes to help keep us safe in areas of life we didn’t yet fully understand. We now need to know how  to play safe in the digital world to stop our data getting something nasty happen to it, even if we don’t understand it all just yet.

I may take this analogy further…

From a management level we can put plenty of things in place to help protect against things, just like protective parents we can try and keep our children away from things that will harm them or change their lives forever.  We can monitor what they do, try to keep them in the house so they never play with anyone we think is a bad influence. I see this akin to setting access rights correctly, and installing antivirus and spam filters, going the extra mile, and putting in additional security .
But when all is said and done, teenagers will be teenagers, and end users will be end users, and at some point, they will manage to get in harm’s way – that’s why education is one of the best ways to prepare someone for their life (real or digital)

Just like those awkward lessons back in school, lets start with all the warnings, the tales of woe and what can go wrong. So someone has your username and password – what can they do? Well without any additional protection in place they can BE you (as far as digital systems are concerned).

They may just make a straight run for your data, like a rampant STD they immediately start to damage stuff, deleting or encrypting files, sending damaging communications – they are revealed quickly, but a lot of damage – sometimes irreversible – is doled out to your data, your reputation and your systems.

They may be more even more invasive – and patient – biding their time, and using your account to go deeper into your organisation. They have a foothold, and they will use this to leverage their way further in, getting closer to more of your clients, other staff, suppliers. It can be surprising how much can be achieved even from quite a junior member of staff or volunteer account. Often these kinds of intruder will spend months inside your systems, working out who is who, what is valuable and what is not, social engineering their way to stronger positions and additional accounts to eventually causing more damage than you may expect.

So how can users help protect themselves and your systems? Mindfulness, wise decisions and use protection.  In the digital world – don’t try and circumvent protections that are in place, understand that those systems, EG MFA checks, while they may be a small nuisance, protect them from far bigger consequences. Be mindful that not everything is as it seems, if their password is requested, e.g. a program popping up on screen – should they be entering it, what has generated the request, are they sure they know where their credentials are going to be sent to. And if in doubt, make the wise decision to seek guidance.

This is just a small anecdotal piece. There is of course far more you can do to improve your staff, and your own awareness of the risks, and help you to live a long and happy digital life with your data, but a few quick takeaways to get you started on the right path

1. Multi Factor Authentication on any system that supports it – use it.
2. Dig deeper into staff awareness, whether this is internal training, or using one of the great platforms available for security awareness.
3. Staff awareness testing, check how affective your training has been. Phishing test campaigns are a good place to start this adventure.
4. Monitoring of your systems – there are a great many steps you can take to help catch if someone is trying to gain access to or has gained access to your systems. Invest in the software and time to increase your chance of finding out if you have an unwelcome visitor, before they make themselves known in a less pleasant way.

I hope you have enjoyed this article, I know I have rambled, but if you want to know more about any of the points in this post, or want to discuss anything IT with us, we are always happy to talk, get in touch with us today