A true story about the dangers of mixing business and pleasure...
We spoke with Merseyside Police Detective Colin Graham, who works in the Cyber Dependant Crime Unit, about a common cyber-crime affecting one company and their remote employee. We'll call this remote employee 'Bob'.
- Bob is a flexible worker, splitting his time between home and office.
- Bob is responsible for setting up and managing customer accounts. His company is small and they are happy for employees to manage their work on their personal computers.
- One day, Bob is in an online chat room discussing one of his favourite computer games. A fellow gaming enthusiast tells him about a really good gaming modification and provides Bob with a link to a shady looking website. But because the modification was vouched for by a fellow gamer, Bob decides to purchase, install and run it on his computer.
- The modification worked, and Bob was now excelling at cheating in his favourite game. But he never really examined the contents of the download, something he would come to regret.
- A few weeks later Bob receives an email from someone purporting to be a member of an infamous hacktivist group. They tell Bob that they have accessed his computer and copied all of his data. They threaten to leak the data unless he makes a payment of 0.2 Bitcoins to a specific Bitcoin address.
- Bob ignores this, assuming this is a typical extortion email. He had no proof that he had been hacked, so he ignores the demands. But unlike other generic extortion emails, Bob continues to receive them. They become more specific and then start to provide proof of compromise.
- They show Bob a copy of his Google Chrome password list which contains hundreds of clear text passwords and usernames. Bob recognises his favourite password and its many iterations, even the safe one with the exclamation mark at the end!
- They finally have Bob’s undivided attention. Not only do they know the username and password to Bob’s personal accounts, they also have access to his companies’ client accounts.
- Whilst Bob is trying to come to terms with this, his laptop comes to life, the mouse is moving, and it’s clicking and accessing things of its own accord. Bob is in a clicking war with the attacker whilst his partner is frantically calling the Police.
- Bob was not prepared for this, nor was his company. He receives another email, asking him what his clients will think of him and his company when they discover that Bob has allowed their data to be exposed.
- In desperation, Bob wipes his laptop to put an end to the clicking war.
- He is now faced with telling his boss that their client’s data has been exposed.
- The company response was to set up 2 factor authentication (2FA) for their client accounts and issue new passwords.
- They then begin the process of contacting their customers to warn them of the breach.
This is a classic example of BYOD-exploitation.
BYOD stands for 'Bring Your Own Device', and it's a simple way that many smaller businesses save on hardware investments and offer flexible or remote work to their employees.
Unfortunately, the connected laptops, phones or tablets that belong to your employees represent a potential entry point into your IT network for hackers if they are unsecured.
We asked Detective Graham and SysGroup IT Security experts to weigh in:
What went wrong and how can you reduce the risk for your business?
Protect your IT network and secure your employee devices through these key strategies:
- Be sure that all company laptops or tablets are connected with a secure cloud backup solution for continuous data replication and to minimise the risk of lost or stolen data.
- Detective Graham recommends that businesses investigate and implement the control measures suggested by the NCSC, including 2FA (two-factor authentication) or MFA (multi-factor authentication).
- Once MFA is enabled on all of your user accounts, then all is not lost, even if your credentials have been compromised. MFA & 2FA put another hurdle in between the attacker and your account by requiring a response on a secondary device. App-based 2FA is also simple and cheap to implement, making it accessible for businesses of all sizes.
- SysGroup's endpoint security solution vets devices and monitors connectivity, encrypts data, whitelists applications and blocks harmful activity. It gives you the power to control access to your network and install user privileges across different devices.
- Detective Graham also recommends that you exercise caution downloading data from the internet, as things aren’t always what they seem. If you really feel it necessary to take a risk, do it in a VM. And when you download that must have dodgy file, scan it immediately with antivirus tools. And whilst you’re at it, make sure your system is set to run regular antivirus scans.
Of course, this is not an exhaustive list, but it will help lower your risk levels overall. These guidelines apply to businesses of all sizes and budgets, as many of these strategies are great steps towards improved IT security.
If you are a Merseyside based business and see similarities between your company and Bob’s and need help building better cyber defences, then please contact SysGroup or email the Cyber Dependant Crime Unit at: Cybercrime.Protect@merseyside.police.uk
If you are the victim of a cybercrime, then please report it through this link.