Common threats to business information security

Analysing activities from the point of view of a competitor, hacker or investigative journalist is the first step towards protecting the privacy and reputation of any company. Examples of sensitive information which would be useful for competitors include:

• financial statements and business research documents
• discussions on partnership, mergers and acquisition
• information about personnel and clients
• corporate climate and culture
• business accounts passwords

We will search for this information in several open sources, such as Facebook, Instagram or LinkedIn. We will also look at company reviews or ratings sites, publicly available boards on Trello and any hacked accounts databases. This type of intelligence is called OSINT (Open-Source INTelligence) and understanding its tools will help you make timely decisions in accordance with any potential threats.

When OSINT analysts search for information, their experience helps them to verify how reliable the sources are. They divide their findings into two parts: the Speculation, Gossip and Conspiracy Theory folder; and the Company Profile folder, which is when the information is deemed reliable through the number of shared sources.

In the article below, we shall discuss the threats to information security, which affect the reputation of a company, and the methods to prevent business data leaks.

Threat: Disregarding information security and basic privacy rules

Each of the services used by personnel — cloud storage, Google Docs, online screenshot maker — is a potential source of business information leaks. Using online services such as Slideshare, Gliffy and Emaze to make presentations, draw diagrams and create infographics, employees may forget to configure their privacy settings. This data is indexed by Google. Likewise any files uploaded to G Suite, or the boards in the task trackers Jira and Trello.

How to prevent this threat: Enable privacy mode for any documents and workspaces, and above all instruct employees on information security. Use Canary Tokens to track IP addresses of the attacker who might gain unauthorized access to documents.

Use of the combination of Google search operators site:trello.com + docs.google.com showed the path to the budget, projects and instructions of the design studio in Kyiv. Only users with links have the access to documents. However, the links are posted on the publicly available Trello board

Threat: Cyberattacks and hacking into credentials

After a cyberattack, hackers sell credentials on anonymous marketplaces with the names of the companies publicly available. Advanced OSINT techniques can search for a company’s e-mail and passwords across data breaches on Pastebin and anonymous Dark Web forums.

How to prevent this threat: Check if the corporate or personal accounts have been compromised. You can use Have I Been Pwned, pwndb, Google Password Check or Password Security Recommendations for iOS.

Hunter.io searches business e-mail accounts by domain name. The Pwndb onion service finds hacked e-mail passwords in data breaches. It also finds every account which has used the same password which has been leaked

Threat: Reusing Passwords

Using the same passwords for corporate and private e-mail accounts or other services is a chance for hackers to gain access to all accounts at once. This will enable them to view the business correspondence and the personal messages of employees and their contacts.

How to prevent this threat: Scheduling regular change of passwords is inefficient: employees slightly modify the same password, adding a few digits or characters that can be easily cracked. Instead, teach your employees to use a password manager and generate difficult passwords or passphrases, which are unique for every account. For additional protection, employees should set up two-factor authentication, such as sending an SMS with a validation code while logging in.

Threat: Employees’ publications on social media

“Work week starts off like that”. Do you like to post office selfies with this type of caption to Instagram? Photos containing office interiors and documents on the desktop, as well as videos recorded in the office, may accidentally reveal confidential documents, the exact location of the office and notes with Wi-Fi and business account passwords. These pictures may also reveal the name and job title of an employee.

How to prevent this threat: Make it a routine practice for your employees to check their photos and videos for any sensitive information before publishing them on social media and video hosting sites.

Office pictures with a window onto the street can reveal the precise geolocation via Google Street View. Let us hope the company has a video surveillance system and access control

Do you think it’s impossible to read the text of the document? Instagram stores images in their original resolution. You can find the original image using the Developer’s tools in popular browsers. The picture shows the schedule of municipal court hearings in the Philippines

This post about career promotion (Congratulations to the Vice-President!) includes a business card. It’s difficult to control one’s emotions after you have been promoted, but there is no need to reveal your email address or the address of your company

Threat: Fired or demotivated employees

A fired or unhappy employee tends to leave a review of the company on Glassdoor or social media. The higher level of dissatisfaction with the company, the more eager employees are to discuss (and condemn) the processes inside it. When a competitor reads this negative feedback, they will enjoy an advantage when they are hunting for new staff. They are aware of the problems faced by such a disgruntled employee and can offer something better.

Moreover, dissatisfied employees can leak important projects to your competition. According to a Verizon report, in 2020 26% of data breaches were caused by insiders.

How to prevent this threat: Identify accounts with advanced permissions and restrict employee access. All them to only access data used for their immediate official duties. Disable accounts of former employees. Last but not least, you should recruit high-skilled employees, apply tangible and intangible methods of motivation and take a personal interest in employee career goals.

Securitas reviews on Indeed, a job search website. How many of you are familiar with such complaints about ageism, chaotic changes in the work schedule and a toxic workplace?

So, let’s sum up the key principles of keeping business information secure.

1. Set up access control for business documents and accounts
2. Care for your employees and educate them on the basic principles of information security
3. Use canary tokens to track any unauthorized access
4. Set up two-factor account authorization and check passwords to prevent data breaches
5. Use high-skilled OSINT services for advanced searching for vulnerabilities and threat management.