Where Cyber Meets Skinware: An Enterprise Security Problem
As your enterprise virtualizes and leverages cyber technology to speed productivity, the incidence of cybercrime will, of course, increase. Similarly, as your employees’ behavior, as consumers, drives the technology they use (BYOD), the cybercrime cat will continue to be let out of the bag. What can any enterprise, security leader or technology truly do to eliminate or prevent cyber terror, espionage, theft, network intrusions and major fraud when the humans involved are making it so easy?
In the connected world, there are only three components that can cause failure: hardware, software, and skinware. For example, with hardware, your hard drive can crash. Or with software, an operating system may have a continuous loop in which you start your computer and an error message indicates it has encountered a problem and has to restart and that repeats until you cry. Or a skinware issue, which is, well.... you. You don’t know what you are doing, and you are the problem.
While the Home Depot, Target and (oh, just fill in your favorite retailer here) hacks are real network breached cybercrimes, there are too many schemes – scams and human error – due to poor or no training that are leading to real crimes. That’s right – skinware!
A perfect example is the African Cyber Crime School Impersonation Scheme. No, really. I didn’t make this up. It’s on the FBI’s cybercrime alert site if you want to check it out. So how do you successfully impersonate an entire school? I couldn’t even get away with forging a lousy hall pass!
If you have not read about the African School Impersonation Scheme or are not familiar with the FBI’s Internet Cyber Crime Complaint Center (IC3), it all sounds so technical and scary. Somehow, it would appear, Africans will steal our schools blind through the Internet while we sit in the cafeteria, helplessly trying to guess what we are eating.
But that is not it at all. Whether or not Cyber is in your job description, I assure you that stopping this scheme is right in every security leader’s sweet spot.
First, no encrypted passwords are broken or firewalls hacked. Your CIO, CISO or network security administrators have nothing to breach, protect or stop in this matter. No computer needs to be turned on or connected to the Internet. So, it is not about the Internet or cyber. The only technology the criminals use is the “good ole telephone.” Imagine that.
Second, it is not about schools, although they were initially used as the golden ticket to steal millions in products. This scheme is very successful and, as a result, it has quickly spread to businesses and other institutions. The FBI shares that the scheme is resulting in $200,000 per incident thefts. (Laptops, medical supplies, industrial equipment, etc., are all at play).
This scheme is all about you and physical security insider threats. But no, that nice customer service representative is not a nefarious criminal mind; just a poorly trained employee without policies in place to prevent them from being human engineered. Indeed, they are so helpful that they are helping a criminal perpetrate a crime.
Here are the 1-2-3’s of the School Impersonation Scheme. The criminal contacts a business’s customer service center, poses as a school official and, using human engineering techniques, gathers additional information about the purchasing account. Most customer service training ends the call by asking, “I have answered all your questions and is there anything else I can help you with today?” And in this case the agent most certainly has.
Next, the criminal calls the targeted vendor again with account information in hand and places an order billing to the school’s line of credit. This is bold; they give the actual school address for the shipment and then call the school pretending to be the business they just ripped off. Stating they shipped an order in error, they ask them to return it. They then ship labels to the school, and the school unwittingly forwards the shipment to the criminal’s address.
As noted, it started with schools, but has spread quickly to other sectors. And why not? Without policies, training and a way for employees to “see something, say something,” your company doesn’t stand a chance. And having a CIO buy more hardware and software with more passwords is not the answer in this and in many other criminal cases.
Cyber or not, naming it is less important than stopping it. This is where physical security’s expertise, leadership and experience are perfectly suited to identify and mitigate known risks. Otherwise, your customer service representatives will not even recognize a well-crafted fake hall pass.