Avoid the PR Security Breach
We all want to promote our teams and our organizations.
After all, the free publicity generated by public relations (PR) can help with building our reputations & brands, and complement our marketing efforts.
Unfortunately, publicity can directly undermine security. Casual publicity shots and press releases can reveal more than intended, and put the entire organization at risk.
Fortunately, there are very simple steps that you take to reduce the chance that a press release negates your investment in IT security measures.
Executive Names in Attacks
PR firms love to include the names of important executives in a press release to humanize the organization.
However, by including the name of an executive, they provide an attacker with the key to execute many different styles of cyberattacks.
The easiest cyberattack will simply be to attempt to phish the executive by using their own name and possibly the theme of the press release. If the attacker can compromise the executive’s computer, that person will immediately gain enhanced access to the organization.
With a bit more effort, the attackers can use the executive’s name to perform social engineering attacks or email phishing attacks on other employees within the organization. The goals of such attacks may be simply to obtain network access that the attackers will then exploit.
Other times, the attackers bypass an attack on the IT systems, and proceed directly to Business Email Compromise (BEC) or CEO fraud. These attacks rely upon poor internal communication to trick the company out of its money by using false invoices and other fraudulent methods.
How to Protect Against Executive Name Attacks
Fortunately, a few practical steps can eliminate most of the danger.
First, you’ll need to invest in email and endpoint security products. These defenses will stop many different types of attacks outright while also making the company more resistant to cyberattacks in general.
Next, train your employees to be aware of fraud and social engineering attacks. Phishing awareness training can help employees recognize suspicious emails. They should also be trained to recognize suspicious phone calls and visitors.
Next, create and enforce corporate policies & procedures designed to provide checks and balances. For example, the CEO should not be able to send one email and have a check cut for $1 million without a second signature or another executive’s approval via voice or text.
As a final layer of protection, use different names for publicity and business purposes. For example, an executive named Johnathan “John” Smythe Doe can be called “John Doe” in press releases, but the company can also make sure that all business correspondences are signed “Johnathan Doe,” and checks must be signed “Johnathan S. Doe.”
Promotional Pictures and Credentials
Hospitals, corporations, and government offices often use badges and uniforms to help employees stand out from non-employees.
These uniforms act as a form of security to help other employees recognize who does and does not belong. Unfortunately, when snapping pictures for promotions, most employees forget that they are wearing potential keys for an attacker to use to obtain physical access to employee-only areas.
No matter the strength of your security system, it cannot stop an employee from opening the door for an attacker wearing the proper looking uniform and badge.
It’s very easy to do a Google search for nearly any hospital and find pictures that provide attackers with information. For example, take the picture above, published in the Mirror on behalf of the Royal Manchester Children’s Hospital.
The picture was cropped to remove faces, but you can clearly see a blue uniform with white accents that could be purchased and monogrammed by an attacker to blend in with other employees. Also, while the nurse on the right has flipped her badge, two medical staff members on the left clearly have their badges displayed with their faces and the format for the official badge clearly shown.
An attacker can easily pull enough information from pictures such as these to mock-up a badge and uniform. Once an attacker walks into the “secure” areas of a hospital, they become both a physical security risk as well as an IT risk for any workstation they might access.
Bringing It All Together
Fortunately, these issues can be controlled with minimal expense.
With good training and protocols in place, you’ll be able to stay ahead of PR security breaches. So long as the executives make their expectations clear and hold departments accountable, your organization will be prepared and remain vigilant. Good PR can be a wonderful thing for your business, as long as you have a plan in place.
Need extra IT and cybersecurity support? Ideal Integrations and Blue Bastion can deploy the latest technology to protect you from internet-based cyber threats, and help you to develop a solid and secure network – whether it’s remote, in-house, or both. And, we’ll help you get the right information to your team to avoid gaps in your security.
Ready to get started? Complete the form below, or call us at 412-349-6680!