The context of this writing: I took a course on Designing and Building a Cybersecurity Program and have written many papers during the course. Below is a revised/shorten snippet from one of my essay papers.
In 2020 our country was going through a crisis that has brought many states within our country to a standstill, and our healthcare organization’s services were being maxed out. During that time, our society’s immoral actors used chaos to launch cyberattacks campaigns on many healthcare organizations.
These cyber-attacks started with reconnaissance work and information gathering. Many healthcare institutions were getting hammered with attacks reported by Healthcare IT New; The World Health Organization (WHO) has reportedly seen attempted cyberattacks double since the onset of the COVID-19 crisis. A vaccine testing facility has also been targeted with ransomware.
Taking a step back, here is what we know as FACTS: the cyber threat landscape starts with the pre-attack phase, which consists of reconnaissance work and information gathering. There are several ways an attacker can do reconnaissance and information gathering on a target. These include scanning networking for known vulnerabilities, phishing, scraping information on social networks, creating Trojans, and spoofing wifi networks. We know it doesn’t take much for an attacker to gain access to your networks, even if you have the slightest pin-hole crack in your network. With time and patience, they’ll get the necessary information they need to penetrate your network systems further.
If we think about how they got the information needed to get into your systems, the answer starts from employee negligence. Cited here from Data Link Networks, according to a 2018 State of the Industry Report conducted by the document security company ShredIt, employee errors accounted for a whopping 71% of data breaches reported by surveyed small and medium-sized businesses (SMBs).
The point of this essay paper is—how do we reduce employee negligence? If we think about it, negligence does not start the moment the employee enters the office doors. However, part of the negligence that companies do not see is off their radar, which employees do outside of their purview, which should matter.
We need to start thinking about protecting our employees’ cybersecurity from outside the company’s infrastructure boundaries. Again, this paper aims to reduce the reconnaissance work and information gathering of those employees who have access to the critical data and systems.
Continue reading to find out how this can be done!
If we look at the cyber threat landscape, we know the pre-attack phase is where most reconnaissance work is done. The goal is to focus on reducing the amount of information that’s gathered during the reconnaissance phase. The aim is to establish or revise an organization’s social media policies that believe in secure-social media information first (SSMIF) and promote-social media information second.
For example, who are the employees within an organization that manages data, implements controls over data assets, and essentially has the keys to the organization information, you guessed it, IT personal. Most IT professionals have a LinkedIn account that will display their work credentials, meaning the stuff that reveals their qualifications, achievements, or aspects of their job background. This is where organizations want to limit the amount of information presented. As the saying goes, having too much information can be as dangerous as having too little. We push for an SSMIF mindset so your employees will not be compromised by offering too much information on their LinkedIn account, which will essentially reduce the information gathering by bad actors.
Every company should have a Social Media Policy that established security protocols on the amount of information an employee can put on their social media platform. The aim is to have a social media policy that has security protocols that can offer guidance on how to manage the information on these platforms. Typically organizations have yearly employee training, which can include social media security protocols.
Understanding the laws for your state around social media
We’re in the age of the unknown regarding what we can ask an employee to do with their social media accounts. The goal is not to dictate what an employee should do on their personal account(s), but to educate employees about the dangers of displaying too much information.