Gone are the days when we would use padlocks and safes to protect our documents, finances and personal belongings. Instead we are using virtual spaces for storing our livelihoods and most precious information. While these are probably more secure than any lock and key, virtual safeguards make us reliant on secret passwords.

Hollywood portrays hackers as nerdy yet cool and mysterious types. They speak techno-babble yet their dialogue fuels many a television series. And by clicking for a few seconds on their keyboard and frowning at their computer screen, they can connect to any computer system over a network, find a vulnerable entry point and steal all the data they require.

Beyond the silver or television screens, the reality is quite different because even using the most advanced hardware and software combination, a hacker might take months or even years to find a way through a computer network using a username and password combination. This is mainly due to the high level of encryption and security being used by most network administrators.

But hackers are persistent and, just like the game of cat and mouse, they will almost always find a new way in. The latest trends show that today most breaches only occur after some insider knowledge is gained or by tricking someone to divulge confidential information.

Nowadays, the most common form of exploit used by hackers is over the phone. By using a technique called pretexting – meaning that someone attributes a pretext to their story – hackers impersonate, for instance, an IT administrator and ask an employee for credentials and passwords. More elaborate ploys involve physically entering a building disguised as an authority figure, such as an insurance inspector. These methods have been used to gain access to documents which might include administrator codes that would eventually lead to a point of entry over a computer network.

This process is now generally being referred to as social engineering and involves some element of human interaction in the process before a computer system is breached. Instead of skills normally associated with IT specialists, social engineering involves the use of mainly psychological principles such as being able to impersonate someone, manipulation and exploiting cognitive biases to their advantage.

Computer security experts spend a of time ensuring that their networks are impenetrable but in reality few companies, especially locally, are aware of such ploys. Therefore, they rarely take counter measures to train their staff to ensure they don’t fall prey to such elaborate schemes.

Most breaches only occur after some insider knowledge is gained or by tricking someone to divulge confidential information

In the early days of computers, mainly the 1970s and 80s, hackers were mostly amateurs, just curious to see how far they could go. Most had no real intention of using or selling the data they managed to steal. However today hacking has become a billion dollar business as the cyber espionage industry is booming and competing firms might engage hackers to steal your data to eventually use it gain an unfair advantage. This does not mean that your competitors know they are doing something illegal as most are not even aware that they are indirectly employing the services of hackers. Most hackers advertise their services as research consultants and promise they can obtain competitive data analysis about sales and plans without divulging how they are actually acquiring such sensitive information. It is also not the first time that hackers even manage to play two rival organisations against each other and finally hurt all involved parties financially before disappearing in a complicated legal grey area.

Some companies don’t even realise they were hacked and lost data while the others who notice the breach might not even report it as they are wary of any resulting bad publicity for their organisation. Many local businesses think that just because Malta is considerably smaller than other countries, we are immune to such attacks. Nevertheless, local breaches have been recorded in the past and some of the attempts were quite elaborate and carried out by foreigners with extensive experience in this illicit trade.

A business must ensure that employees and administrators are not exposed to blackmail or become a target. For instance, an employee who might have a gambling problem and has run up large amounts of debts might become an easy target of a competing company who might offer to pay off his debt in exchange of confidential business data.

The first step someone running a business should take is to ask what information, if divulged, might hurt the organisation and therefore identify the upper strata of confidential data. You might be surprised at the amount of data such as sales projections and client lists are roaming around on different computers. It would be a good idea to store such priority data in one centralised location – that way it can be better secured. It is not a good business practice to invest in the latest servers and IT security while your employees are copying data on their USB drives, taking them home and saving files on various computer systems which are more vulnerable and open to attacks.

The second step is to ask all employees to never, under any circumstance, divulge a password or certain sensitive information over the phone. Also, ask everyone to change passwords every few weeks and ensure that all persons entering a building are duly registered and provided with an internal identification tag. Most importantly instruct and remind employees to be alert and never let their guard down. This should at least provide a first line of defence against a potential attack.

These steps might be perceived as inopportune or tiresome but we must insist on security over convenience – otherwise we might as well start leaving our doors open to anyone wishing to stick their nose in and sniff around.

A third and final step involves testing your own security procedures. Engage a security consultant, preferably someone who is both trained in computer security and social engineering, to evaluate your system and try to see whether they are able to access some of your sensitive information or at least gain physical entry into your organisation’s offices without being caught. It is extremely important that the consultant is a reputable one and assures you that everything will be conducted professionally. During a debriefing session the consultant will point out physical and technical vulnerabilities identified in your overall structure and later assist you in taking remedial action and closing any loopholes or weak points.

Ian Vella is a search engine optimisation specialist.


Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.