While insider threats are nothing new and have often been linked to disgruntled employees, or hires who unintentionally click on malicious phishing emails, interns bring an entirely new threat to companies.
Lax security training for company interns, coupled with the attachment of Generation Z to social media, is providing a lucrative opportunity for hackers to collect social engineering information
More disturbingly, the level of information posted online, including details about office layout, company data, and even badge information
A New Threat
When it comes to collecting data for social engineering, “social media is a goldmine,” and between Snapchat, Instagram, YouTube, and Facebook; Generation Z is the most avid users of social media to date.
About 75 percent of the time, a social media search turns up the information I’m seeking within just a few hours. This is especially true for large companies, where these posts are most often from interns or new employees.
Considering the extremely high attack rate on social-media logins is indicative of the value placed on the data fraudsters extract from compromised social accounts, and because more than 50 percent of social media logins are fraud, we know that fraudsters are using large-scale bots to launch attacks on social media platforms with the goal of disseminating spam, stealing information, spreading social propaganda and executing social-engineering campaigns targeting trusting consumers.
Sometimes fraudsters have to rely on humans to carry out attacks; these attacks cost more, but the value they can extract from the attack makes the investment worthwhile. Note that the developing economies are quickly becoming fraud hubs because they have easy access to sophisticated tools, cheap manual labor and good economic incentives associated with online fraud.
Take an example of produce a fake badge using photo editing; The fake badge may not work on doors, but it could work for piggybacking when other employees enter a secure location. Other platforms, like Glassdoor, offer troves of valuable information for phishing emails including company organizational charts, salary ranges or typical interview information.
Using this information, an attacker could develop phishing emails, preparing the subject and content according to what’s trending among employees of a given company. Unfortunately, employees could easily fall for a well-crafted email, and they may forget to check the sender’s legitimacy.
For companies that don’t include security awareness training as part of onboarding, new employees may not be trained until the next round of companywide instruction, which could be up to a year away. Excited new employees often post their #NewJob #FirstDay #CompanyName via a hash-tagged selfie, showing off their new workspace and neglecting to realize that sensitive company information may be in the background.
Companies should rethink their social media security policies, as well as train managers and social teams to spot any risky data posted online. And because photos may inevitably end up online from the office, companies should also establish a safe photo space, an area of the office where any sensitive information is banned.
The top method of protection, however, is implementing security training, make sure your interns and new hires are getting this as part of their onboarding process.
You can make this fun and effective by helping them to understand the ways a hacker could use the seemingly harmless info they might consider posting.