Garbage that can be used for social engineering
When invading a network from the outside, "trashing" is often done to collect information in advance. It is said.
Assuming Kaspersky isn't in the habit of throwing away documents like evidence of fraudulent accounting or reports that put the company at a disadvantage, it's personal data that's at risk.
Now that privacy protection is becoming stricter, simply throwing away personal data is against the law. However, there seems to be no end to the cases of abandoned personal data.
Trash that cyber attackers can use for social engineering includes:
Even if it is not a confidential document such as internal secret, if it is a document that shows the business content of the department, the technical terms that are usually used, the company's procedures, etc., there is a risk of being abused by attackers.
An attacker who obtains the above information can impersonate a member of the business process by email or phone to extract further information or commit business email compromise (BEC).
Of course, the address and sender are written on the envelope. Business correlations are shown when it comes to envelopes used in business. For example, let's say an attacker learns that an employee at Company A has received a paper document from an employee at Company B.
In that case, they may contact the person who received the envelope and ask for an explanation, or send a malicious link disguised as an acknowledgment of receipt of the actual paper document.
Although cloud storage has become widely used, USB memory sticks and hard disk drives are probably used in the workplace. Departments that need to shoot with digital cameras may also use SD cards.
If you have a broken phone, you can pull your contact list and messages from it and pretend to be the previous owner, and if you have a USB drive or hard drive, you can steal work documents and personal data. can.
Even a delivery bag with an employee's name on it is an opportunity for cybercriminals. For example, it has been confirmed that phishing e-mails with content that introduces limited menus and loyalty programs are sent to guide users to phishing sites.
How to properly dispose of garbage?
So, how can we dispose of garbage so that it cannot be exploited by cyber attackers?
Kaspersky recommends minimizing or eliminating the retention of information on paper. In today's world where eco-friendliness such as decarbonization is required, this is the right path.
Next, regarding paper, it is important to pulverize everything that is even slightly related to business. Don't forget to shred the envelope as well.
It is a good idea to bring storage media such as USB memory into a state where they cannot be used mechanically before bringing them to an electronic device recycling center. Break CDs and USB memory sticks, and destroy hard disks with an electric drill or hammer to make them unusable.
You also need to be careful with smartphones. Smartphones have flash drives and computers have hard disks. If you throw away your smartphone or computer, you should check to see if the data is in an unreadable state.
And it is important to inform all employees of this. Unless each individual acts with a sense of urgency, it will be difficult to do the above in day-to-day work.