Guest Column | June 7, 2021

SIM Hijacking Has Become A Business Threat: Are You Prepared?

By Kurt Markley, Apricorn

sim-card

It’s no secret that consumers often fall prey to cyber-attacks from criminals, but many business leaders mistakenly believe they’re not as vulnerable to such scams. The reality is, though, that fraudsters are becoming more and more sophisticated - and setting their sights on victimizing organizations too. Consider SIM swapping, for example.

This consumer threat has been around for quite some time, occurring when a criminal contacts an individual’s wireless provider and uses their personal data to convince the provider they are the individual. They work to get a new SIM card issued for their phone number, granting them access, once received, to the individual’s calls, text messages, and accounts. They can even change account passwords and steal money or data.

Recently, a group of European cybercriminals used SIM swapping to target U.S. celebrities and their families, ultimately gaining access to more than $100 million from them. If such drastic outcomes can occur from SIM swapping when targeting consumers, you can see how it could create major issues within organizations. Here’s what to do to make sure you’re prepared to prevent SIM hijacking in your own business.

Evaluate Your Environment

First, it’s important to recognize the likelihood of such cyber-attacks in the context of the current landscape. A Princeton study recently found that five major U.S. prepaid wireless carriers are vulnerable to SIM swapping attacks, creating a high threat level since these carriers host the vast majority of customers.

Further compounding the risk is that COVID-19 has forced countless employees across the country into remote working environments, which is expected to continue even as restrictions are lifted. When staff members use a mix of business and personal devices, from a variety of locations, they make it easier for cybercriminals to target their devices and infiltrate their corporate networks, systems, and databases.

When it comes to SIM swapping many network providers have increased security measures. But this isn’t enough. Make sure you don’t underestimate the criminals who work to circumvent these safeguards, which happened to T-Mobile. The carrier disclosed in February 2021 that it had experienced a data breach in which SIM hijackers were able to gather customer account details, personal information, and PINs.

Equip Employees

People are an important part of security culture and need to understand how to protect themselves and their organizations. Surprisingly, many employees don’t see themselves as a security target. Roughly half of the respondents of a recent, global IT security survey say that individual employees in their organization do not consider themselves targets that attackers can use to access company data. So, the first step is to train team members about basic security hygiene. This includes some straightforward lessons such as reminding them to change their passwords regularly and to never click on a link from an untrusted source. Also teach them about the most common threats they’re likely to encounter, along with newer social engineering threats, like SIM swapping. Most of all, give them tactical guidance about how to control risk.

Second, train employees on specific security best practices that your organization has in place that are unique to you. This is also the time to make sure your staff is aware of any regulations your company must adhere to, like GDPR in Europe and the CCPA in California. Remember, too, that security training isn’t a “one and done” priority. You must continue to hold ongoing training sessions as cybercrimes and protocols evolve, and refresher courses for your team periodically to keep these measures top of mind. Be sure to include freelancers and other third-party contractors in this, as well since your organization’s security is only as strong as its weakest link.

Encryption & Endpoints

Finally, look at how your organization stores critical data. You should have endpoint controls in place that secure any end user devices that connect to the enterprise network.

The best defense for endpoint security is encryption, which comprehensively protects data when it’s static or on the move. Many organizations are even adopting companywide encryption policies, and it’s wise to explore this option.

Your team should back up their data locally to a company-sanctioned removable USB or hard drive that automatically encrypts any information stored to it. This is the most certain way to prevent unauthorized individuals from gaining access to it and to keep data safe when it’s transferred between devices. Additional solutions to consider include application control, privileged user access, data loss prevention, and network access control.

SIM swapping and other cybercrimes that formerly only targeted consumers are now being used to attack organizations. If you secure your data, train your team and stay on top of the evolving changes, you’ll have the strongest defense possible - now and in the future.

About The Author

Kurt Markley is U.S. Managing Director at Apricorn, a manufacturer of hardware-encrypted USB drives. Kurt has more than 20 years experience in technology and cybersecurity.