It’s a buyer’s market for criminals with an eye for identity theft (opens in new tab). Thanks to workforces everywhere still being scattered post-COVID, employees are more vulnerable than ever to social engineering tactics. Additionally, once protected by robust on-premise security and corporate networks, sensitive data is now accessible via unsecured home environments.
What’s more, organizations across the globe are scrambling to digitize their processes, regulators have yet to enforce remote security procedures, and our most valuable data can now be accessed via easily penetrable devices on a basic home network.
It’s more important than ever that IT teams ensure their remote workforce is educated and enabled to deal with increasingly sophisticated criminal attempts.
Before delving into how to protect against identity theft, it’s important to understand the two core avenues criminals utilize.
Social engineering
Intruders looking to perform identity theft first undergo what can often be a lengthy process of social engineering. This means stealing minor information specific to the user they are targeting and using it, alongside intimidation tactics, to blend some truth into a narrative with the user, such as requests from a bank or trusted brand asking for verification or even answers to security questions. Once the victim divulges this information, the attacker can use it to seize total control of the user’s online identity and wreak havoc throughout the enterprise network.
Home network devices
With most, if not all, of the average workforce now being based at home, cybercriminals can bypass the more robust security of the physical office perimeter and find a way in through a less secure device sitting on the same home network as a company laptop (opens in new tab) or tablet (opens in new tab). This is particularly concerning for banks and other financial organizations housing lucrative data. Once an attacker breaks into the network, they can move laterally throughout the network and do what they do best.
With these routes to identity theft acknowledged, it’s up to IT teams to create strict procedures that enforce the best possible defense and ensure users accessing the network are equipped to correctly identify and mitigate threat attacks in the case that these defenses don’t work.
As always, the first and most effective thing IT leaders can do is create an atmosphere of caution amongst their colleagues. This means adopting a ‘zero trust’ approach to business communications – digital or otherwise. If users aren’t expecting an email asking for specific information, they should phone the sender to verify the request. That goes for any communication – if there is a second way of authenticating the person at the other end of the email or phone, it must become second nature. It is an extremely simple method, but it’s also the most effective. It’s awareness like this, almost common sense, that is often lost as businesses scramble to digitize themselves. Despite all of the security solutions available, humans still play a pivotal role in defending or failing an organization. Attackers will remember this, but organizations often forget.
Another vital tool in any defense is multi-factor authentication. By requiring more than one set of data from a user looking to access sensitive files or networks, the chance of a successful breach due to identity theft is immediately reduced. So, if your online identity is stolen, multi-factor authentication acts as a final safety net. If you can’t identify somebody, you can’t authenticate them. If you can’t authenticate them, you can’t provide the correct actor privilege level – which is how these compromises typically occur.
Network segregation is a reliable way to prevent criminals from accessing and laterally moving through an enterprise network, having accessed it through a weak security point at a user’s home. By providing remote workers with a separate network dedicated entirely to their workloads, IT leaders can remove these new security blind spots – in the form of the connected home – and close one of the prime avenues used by those attempting identity theft.
Stay vigilant
Identity theft attempts and remote working practices are here to stay, though the idea of total protection is gone. Nobody can fully protect, and so we must instead focus on defending for the inevitable. Beyond the above actionable tips for combating identity theft, IT teams and their organizations must embrace a larger sense of vigilance, awareness, and consistency when composing themselves and interacting with others online.