As we start the new year, be reminded that security is your responsibility no matter what role you serve.
Whether you’re an employee supporting DoD contracts, or a vendor in the private sector, or simply a loved one promoting a cause or sharing family events, anyone and everyone can become a vector for threat actors.
Information is currency, and it doesn’t have to be classified to be valuable. It’s often unclassified sensitive information that serves as the basis for successful exploitation, whether it’s personally identifiable information (user name, password, address, phone number) or health related data (medical conditions, prescriptions) or contextual information (name of your boss, professional association you’re a part of) that allows a threat actor more effectively approach you by weaving names and events you recognize into phishing emails, resume solicitations, or in-person meet-ups at conferences, marketing meetings, trade shows etc. All are intended to gain your trust, lower your natural suspicion, and engage you in conversations that leads to further solicitations and eventually exploitation. By targeting unwitting “insiders” these threat actors can more easily get to the information they want, without doing the hard hacking of your information systems.
To protect yourself:
- Be suspicious; it’s ok. Ask “why do you need to know that?”
- Verify identities of unknown individuals by calling them back after checking the legitimacy of their identity claims
- Limit exposure of sensitive information; don’t conduct work or sensitive personal business in public settings or on public networks
- Check backgrounds and references of job candidates
- Implement legally enforceable non-disclosure agreements
- Take advantage of available security training and threat awareness briefings
- Don’t open attachments or click on links from unexpected emails; be mindful and recognize what your normal email traffic looks like