Skip to main content

Three’s the magic number – on-boarding, off-boarding and getting the message across

(Image credit: Image source: Shutterstock/Ai825)

I remember a time when we would be surprised by data breaches. They were a terrifying glimpse into a new age of large-scale cyber-crime – swathes of consumer data being smuggled out of a network by nefarious means. 

However, as time has gone on, these kinds of attacks have become more common, and far less newsworthy. Sony, J.P. Morgan, Talk Talk, Mumsnet, and Tesco Bank have all fallen foul of cybercriminals looking to leverage the information that they manage to steal for monetary gain. 

Last week, the mobile network Three had its “upgrade database” hacked into – the portal that notifies the company when it is time for contracted customers to be offered a new handset as part of their deal. Eight customers had been upgraded to new handsets that the attackers were set to intercept – worth bearing in mind that top-of-the-line mobiles can now go for around £800. Further to this, the attackers made off with the account details of more than 133,000 customers – a serious data breach by any account, regardless of whether this was the end goal of the attack or not.   

As it turned out, the data was an unfortunate bystander in the crime, as it was predominantly an attack to carry out handset fraud. That’s not to say that the hundreds of thousands of account details that the criminals now have won’t be leveraged.

The reasons that this breach made such headlines were twofold: yes, the amount of customer information taken was substantial, but furthermore, this wasn’t a ‘hack’ in the traditional sense of the word. Instead, the cybercriminals used stolen employee log-in details to access Three’s network and take advantage of the systems available to them from the inside. By using this strategy, the gang had easy access to critical information. On top of this, it brought them valuable time before anyone at Three noticed the unusual behaviour – perhaps until those customers tried to upgrade themselves and saw it had already occurred.   

These are both factors as to why an insider threat can prove far more dangerous than brute-forcing your way into a network, and perhaps points to an issue with the on- and off-boarding processes at Three. When people join or leave the company, the details that they receive – for anything from opening up stores to accessing computer terminals – is a crucial set of information that needs to be very closely managed and monitored to ensure that no back doors into the company’s network are left open. In many ways, automation could have prevented this attack in its entirety.

Such issues should be addressed by refining and automating such process as on- and off-boarding to ensure that they are protected against risk. New joiners should be granted the correct access – access based on their position and seniority – and leavers should be stripped of access entirely. 

Think of people using an ex-partner’s Netflix password after the relationship has ended, and you’ll have a good idea of the type of issue faced by organisations that don’t close off the log-in loop once an employee has moved on. Access to their database is left unlocked by someone no longer on-site or bound by contracts to the company.

With the user lifecycle, automation ensures that you aren’t going to have a user slip through the cracks or a log-in be lost or replicated, by keeping the entire process to a strict set of automated checks that will raise a flag if it seems there is an issue. By using automation in this way, the attackers may never have gained access to Three’s network.

However, the attack (in this early stage of reporting) may well have come from an entirely different branch of insider threats. It may well have been that an employee had been logged into their email on their phone that they then lost on the bus, or dropped a notebook containing their most recently updated password that they kept forgetting. They may have even received an email marked ‘urgent’ from their boss asking for some details, unknowingly falling prey to a common type of phishing email that can elicit information as easy as pressing send. 

The point being made is that employee log-in details could have been unwittingly shared with the cybercriminals just as easily – if not more – than them being given out maliciously. As previously mentioned, the ability to break into a network using legitimate information often buys attackers far more time than forcing entry, so this kind of information is highly coveted.   

For these types of breaches, it is education that is paramount for the workforce. No amount of sophisticated threat monitoring and automated lifecycle management is going to help when a password is left on a sticky note or somebody ticks ‘remember my details’ on a public machine by accident. Instead, your staff – both your biggest asset and biggest security liability – should be educated about the dangers of email phishing, device security and general best practice when dealing with company details. Technology exists, but the strongest line of defence for any organisation would be to have an aware and savvy workforce. 

It will be interesting to see how the Three breach develops and if any further information becomes public about how the criminals managed to gain entry through employee details so easily. But even at this early stage, lessons can be learnt for any business. The user lifecycle needs to be locked down – and automation is the best way to this. Secondly, employee education could well have prevented these details falling into the wrong hands. 

Data breaches may not shock us in the way they once did, but they still have the power to demonstrate both how to – and how not to – ensure your business remains secure. It could be eight handsets, it could be millions of accounts, but the baseline rules remain.   

Image Credit: Ai825 / Shutterstock

Jason Allaway
VP of UK & Ireland, RES.