Admittedly, such low-level operations don’t generate the same employee anxiety or organizational confusion as downsizing and M&As — and, therefore, don’t present the same opportunities for hackers. However, Carruthers says they are still creating changes that hackers can use to their advantage. “They all breed opportunities for attackers.”
Carruthers knows firsthand how strategies like these work. His team of dedicated hackers conduct tests that begin by gathering information from six months’ worth of announcements, blogs, social media posts, and online forums where employees share their thoughts. Then his team decides where and how to strike based on that information gathering, just like criminals would. He says his team could use something positive against the company by conducting a phishing campaign that claims the popular job is ending. Or a team might use a move to new technology to make it easier for employees to share login or authentication information.
While CISOs can’t shut down the flow of information, they can counter hackers’ ability to effectively use it against their organizations, Carruthers said. They can monitor OSINT about their organizations, work with other officials on announcements and the timing of those announcements, and run simulations of how those announcements play out from a business perspective. All of that helps CISOs and their teams see what hackers see, better understand their thinking and prepare for potential targeted attacks.
Source link