Has your stomach ever churned on opening a newspaper and seeing your name in it? This was the opening sentence to an article I read on the plane the other day. The use of personal information to enrich our lives and keep us informed and connected brings new consequences. The same information you use to buy something online is often the same information used to access your bank and other financial services. Sometimes you ask yourself how they got this information – and too often it has come from you or people around you.
I had some very old pictures of me put online by a friend of my wife’s daughter! She thought it was funny and hadn’t thought of the possible consequences. This is where most of us fail with our own personal security – we are a trusting lot and don’t think in the same manner or draw the same connections as a cybercriminal. Every small scrap of information is now being used to target the new perimeter – YOU.
New legislation intended to make businesses more transparent (the small business enterprise & employment act 2015) in effect provides valuable information about who has a share in a company. Now most people would look at this and say 'so what' but this information can then be used as the basis of social engineering. The information that the regulation required to be made public is, you guessed it, the same that is used to prove your identity to financial services organisations. In fact, it is the same information that anyone would require for proof of identity. Where we once lived in a physical world, we are now in the digital age, and digital and social privacy has to be addressed. Privacy has to be balanced with convenience but we all need to be aware of the need to protect our privacy and obscure personal information wherever we can.
Social engineering is a key part of the cybercriminal's armoury now and we need to defend against this new threat. The use of a red team or a social pen test is now an essential part of your defences. Build an online persona that doesn’t contain your personal information, unless absolutely necessary. Treat request for your information the same way as you treat nuisance phone calls. We have to maintain trust in our digital lives – so treat the digital world the same way as you would the physical world, build trust over time and keep initial information exchanges to a minimum.