For cybercriminals, data is still king. So, when targeting a company for an attack, cybercriminals would also turn to the crudest approach— that is, diving into corporate trash for any valuable data. According to Kaspersky, the top three carelessly discarded trash that are highly useful for cybercriminals are: work documents, envelopes and digital storage media and whatever info they might extract from these can be monetized or used against your company.
“It’s said that one can learn a lot about a person or a company from the trash they throw away. Cybercriminals know that all too well and finding out that they rummage through company garbage shouldn’t be surprising,” says Yeo Siang Tiong, general manager for Southeast Asia at Kaspersky.
Even with digitizing, companies would still be handling paper. In a research by a printer company, the average office worker prints as many as 6,000 sheets of paper in a year (25 in a day) and about 3,720 sheets are considered waste (10 per day). Another research says that nearly half of printed documents in a typical office are discarded within 24 hours.
Tossed-out work documents don’t need to have confidential data in it to reveal what your team is doing, your business lingo, or even your current business processes. Once these are in the hands of a cybercriminal, such information would be handy to impersonate a staff, supplier or client through telephone or email to draw out more information.
In the past few years, cybercriminals have increasingly resorted to business email compromise (BEC) attacks that target corporate correspondence. A real-life example was when a car manufacturer’s European division lost more than $37 million (P1.8 billion in today’s current forex) to cybercriminals as a result of a fake bank transfer instruction that an employee mistook as legitimate.
Another interesting trash for cybercriminals are envelopes from business letters that indicate details of the addressee and the sender. With knowledge of this information, a cybercriminal can contact the recipient with a convincing request for clarification or send a malicious link that appears to confirm receipt of a real physical document.
Not to be ignored as ordinary office trash are digital media which can be a treasure trove of information for anyone with a malicious intent. A broken smartphone can cough up lists of contacts and messages and can be used to imitate the former user of the device. Flash drives, hard disk drives or solid state drives hold tons of work documents and personal data.
“More than 80% of all cyber-incidents are caused by human error. Cost-wise, a cybersecurity breach would set back a small to medium-sized business about $101,000 and an enterprise for $1,090,000 on average (as of last year’s statistics from Kaspersky). So, it’s up to us in the business sector, regardless of position in the company, to be mindful that the security of the business depends directly on our behavior in handling corporate data,” adds Yeo.
Below are some tips from Kaspersky on how to minimize or eliminate the use of office supplies for data storage and hopefully not be used by an attacker:
- First, destroy all paper documents that are related to the work of the company before tossing them in the garbage. That means all of them, not just those containing personal data. Shred them, envelopes included.
- Digital media (hard drives, flash sticks) do not belong in the trash. You have to render them mechanically unusable and take them to an electronics recycling center. Use pliers to snap disks and flash drives. For hard drives, use an electric drill or hammer. Remember that there is a flash drive inside every phone and a hard drive inside every computer. If you’re throwing any of them out, first make sure their data is unreadable.
- Before throwing away parcels or food delivery bags, it’s good practice to tear off and destroy any labels with the name and address of the sender and recipient.
Besides proper disposal of corporate garbage, another way businesses can beef up their cybersecurity is by utilizing technologies like Kaspersky Endpoint Detection and Response Optimum (KEDRO) which delivers straightforward in-depth defense against complex and advanced threats with no additional overheads.
The KEDRO automation features ensure that incidents are dealt with swiftly and its simplified root cause analysis helps reveal the true scope of the threat so you can act accordingly, all with an easy-to-use toolkit.
