According to a 2009 Symantec Study, cyber crime is now the most profitable criminal activity– just ahead of drug trafficking.
What are they after? Access to your data. They want account numbers, social security numbers and personal information. Today, these threats come from all over the world. No longer is the average hacker a bored college techie. Now, there are warehouses of children in Russia that are paid cash per SSN harvested. They have the time and motivation to exploit any and all weaknesses in our networks.
The worst part is, there is a weakness in every network that no firewall or virus software can eliminate. The people using it. The number one way criminals gain access to your network is by misleading a user into inviting them in. One wrong click and they have everything they need to rob you blind and destroy your business.
Here’s the scoop: the criminal does some research and crafts an email specifically directed at one of your employees. It says something about saving money on healthcare or another work related topic to peak their interest. There’s a link and a form that the user is asked to fill out. Here’s the new trick—the email appears to come from someone inside the office, usually their boss.
By clicking on the form, the user gives the criminal control of their computer. That night, the criminal uses access to the user’s machine to break into the company server. He then has free will to harvest and destroy your data as he pleases.
The best targets for these crimes are businesses that do not have a full time IT person. These businesses usually depend on a tech guy to come out and fix stuff when it breaks. The biggest problem here is that most of them don’t even know they’ve been hacked until it’s too late. A recent study found that last year 40% of small businesses’ networks were accessed by a hacker. Half of them didn’t even know they were attacked.
What can you do? Train your people, blog about it, tell your mom, and make sure that you don’t click on anything that you are not expecting. If you’re ever suspicious, ask whoever supposedly sent you the e-mail if it’s legit. Just remember, the email may not be from who it says it is.
I learned about this new threat 3 days ago when the Nashville Technology Counsel hosted Infosec. I haven’t told my mother yet, or trained my staff, but I did blog about it. Tell your friends folks. This threat is real.
bfm