"People are prone to taking mental shortcuts. They may know that they shouldn't give out certain information, but the fear of not being nice, the fear of appearing ignorant, the fear of a perceived authority figure - all these are triggers, which can be used by a social engineer to convince a person to override established security procedures."
-Kevin Mitnick , Infamous hacker turned security consultant.
Credit card numbers, email addresses, and private photographs, receive most of media’s attention when a hacking scandal breaks, recently however, we have seen a major theft of Intellectual Property (IP) from Sony that likely would not have made the news had it been on a smaller scale. The reality is that hackers often target IP but in light of the sensitive nature and possible financial repercussions, victims of IP theft rarely make it public.
Your organization’s prized IP—patents, trade secrets, unreleased products, even accounting information and customer databases—are major targets for cybercriminals, a large number of whom are mercenaries hired on the DarkNet by less than ethical actors such as your competitors, disgruntled employees, or even government agents.
Cybersecurity is the first job for an IT professional, whether they are part of your staff, or an outside consultant, and the first step to securing your IP is to write a company wide security policy that every person with access to your network must learn, as well as keeping up to date with changes.
As part of this security policy, you and your IT staff need to identify what is IP and what is not, following that you need to deploy a document security strategy, likely with encryption, and of course permissions for users that must access this sensitive data. Multi-Factor Authentication (MFA) is strongly recommended for any access to your network. With modern cell phones, this is simple to execute. (Every organization needs to do this immediately.)
Now that you have properly locked your IP away, and assigned permissions, you must address the ‘weakest link,’ and that is you, and the other human beings who work with you. A major part of your written security policy needs to include behavioral guidelines and formal procedures. Hackers—like Kevin Mitnick—absolutely love to ‘socially engineer’ users who have been given permission to access sensitive data. This method is far easier than actually hacking a secure network, and the more employees you have, the easier it is to find a suitable target.
Smart, well-educated, and experienced individuals have fallen for hacker’s social trickery, so everyone needs to stay up to date, and on alert, as they are literal targets, in fact, hackers are more likely to target you when not in the office. Hackers will obtain a list of your employees and target them through their cell phones, or on their home computers where their guard is down.