Analysis within the Internet Organised Crime Threat Assessment documents that ransomware maintains its reign as the most widespread and financially damaging form of cyber attack, while criminals continue to defraud e-commerce and attack financial sectors.
Current global risk and international response highlights the need for greater mitigation effort that include cooperation and collaboration with private sector and academia.
It is recognised that criminals target data for their current and future crime opportunity, making organisation data security and consumer awareness a priority.
The future threat from Artificial Intelligence is yet unknown, however new threats do not only arise from new technologies but as is often demonstrated, come from known vulnerabilities in existing technologies.
PROBLEM
We were tasked with checking and, where necessary, improving, the personal security of senior banking executives in terms of their use of, and presence on, social media platforms. As part of the task we asked for access to relevant social media and cyber security protocols, procedures and standards operated by the banking organisation
PROCESS
One of our officers arrived at the premises, signed in at reception, was provided with a visitor’s badge which simply had a ‘V’ on its face but no other biographical or photographical information. Our officer sat down in the lobby opposite the lift. A few moments later a man our officer had not seen before emerged from the lift and waved. Our officer waved back, got into the lift and proceeded to the top floor of the building (where none of our staff had been to on their previous visits) whereupon he was taken to a boardroom. Small talk ensued with the occupants about our New York office (which we do not have) and our office at Canary Wharf (which we do not have). After a few minutes, our officer asked the attendees to whom they thought they were speaking. When he explained that he was not their intended guest, the meeting ended rapidly and our officer was taken to the correct level of the building, albeit with the important strategic information that had been broached during his unintended meeting firmly in his head.
ACTION
Our officer was taken to the designated room but there was no laptop. Our officer explained that he did not have all day and asked if he could simply have access to physical copies of the documentation instead. Our officer was shown a directory of files and asked which ones he needed. Recognising that the officer worker had no idea that our officer was permitted to see only designated files, he asked for all of the files on the directory. A few hours later, having finished working through the documentation, our officer was released from the locked room and asked whether he could take the documents with him. The office worker refused on the basis that they were confidential. Our officer left without the documents but with photographs of everyone on his phone.
When we met with the banking organisation, ostensibly on their social media security, we were able to demonstrate instead how we had managed to compromise both their physical and document security with ease. We notified the organisation that it did not matter if executives were careful about what they put on social media if the overarching architecture could be so easily accessed. If we were able to abstract standard operating procedures pertaining to travel arrangements for executives we would be in a position to affect a kidnapping irrespective of whether or not they advertised their travel plans on social media plaftforms. In other words, thinking laterally rather than with a ‘tick-box’ mentality, remains a crucial, but often neglected, risk management tool.
