Hacking Employee IDs | Remote Working High Risk | The Cyber Review

January 13, 2023
Written by Ana R.

How Much Data Can An Attacker Get From an Employee ID?

Cybersecurity awareness includes knowing what not to post online. With our digital reality of sharing content on social media, real-world cases have shown that it's easier to get ID cards than we think. If you post a selfie with your work badge, this is the kind of information hackers are always on the lookout for.

Even if you don't post a photo of your ID (which you know not to do), posting other details about your work or personal life can lead hackers to finding other sensitive information.

For example, in 2020, Australian Prime Minister shared a photo of his boarding pass on Instagram and that led hackers to his phone number and passport details.

Key elements possibly on an ID:

  • Name
  • Address
  • Building designation
  • Internal department code
  • Employee number
  • Phone number
  • Barcode or QR code

ID cards give access to highly sensitive data and information. If posted online, hackers can duplicate it.

Some companies have installed radio-frequency identification (RFID) entry authorization but this doesn't make them safer. People can by RFID scanners on Amazon or eBay, and it could take months before an ID theft is discovered similar to a ransomware attack.

There are now newer ways to check ID such as finger scans, face scans, or iris scans rather than physical cards.

Cybersecurity training should be proactive. Daily reminders, frequent simulations and workshops, to test skills is key, not just having a presentation every year.

Remote work exposing SMEs to increased cybersecurity risk

SMEs see remote work as an increased risk to their business

Based on research conducted, 77% of SMEs see remote working as an increased risk to their business. This risk is due to a lack of access to business infrastructure. It is difficult to monitor when nobody is on site and also risky to leave it completely unattended. The increased distance between staff and their infrastructure, and the delay time in maintenance and disaster response, is what cybercriminals are looking to exploit.

SMEs have increased risk of sensitive data being exposed or ransomware attacks if left unattended for too long.

Some industries are more at risk than others

Education, healthcare, and financial are top targets for cybercriminals. Thus, these industries need to regularly monitor their infrastructure.

Findings show:

  • The healthcare industry has been impacted most by remote working, with 89% of healthcare leaders stating that remote working has added extra risk for their infrastructure.
  • Manufacturing has been the least impacted, with 29% of leaders saying that there has been no effect on infrastructure risk as a result of remote working.
  • Despite believing that there is an increased risk brought on by flexible working practices, 1 in 5 retail and education SMEs still leave their infrastructure unmonitored. 16% of healthcare businesses and 18% of financial services businesses also do the same.

“It is imperative that SMEs treat their data and IT infrastructure like any other asset and properly secure it. If SMEs are unable to secure their infrastructure due to remote working or a lack of expertise, they must find a custodian who can do it on their behalf, or run the risk of having their data comprised in the future.”

Disappointing Canadian survey

A new poll of 253 small and mid-sized firms finds that very few businesses are prepared for a cyber attack.

Fewer than two in five respondents to the online survey by KPMG Canada, released on the eve of Cyber Security Awareness Month, believe they can fully detect and fend off cyber attacks.

This ties in to the challenges companies are face. From low funding, to staff shortages, it all makes it difficult to protect the business. Once businesses get more funding, they can not only focus more attention to cybersecurity, they can create awareness and training for staff too.

The larger the company and larger the digital footprint, it becomes more challenging with all the interconnections within the network

Other survey results

– only 38 per cent of respondents said cyber security is “deeply embedded” into all aspects of their business;

– just 39 per cent said they are “very confident” in their ability to detect and respond to a cyberattack, while 59 per cent were “somewhat confident;”

– 48 per cent of respondents plan to increase their cyber security budgets by up to 20 per cent in the next 12 months. One-third plan to increase cyber spending by less than five per cent in the same period.

Recommended actions

How to improve the cybersecurity maturity of organizations:

–Find more staff with cybersecurity skills

–Spread the importance of cybersecurity

–Focus on patching, identity and access control and vulnerability management instead of new products