Term used to describe your unique traceable online activity on the internet.
Attackers use publicly available information about your organisation and staff to make their attacks more successful. This is often gleaned from your website and social media accounts.
There is a lot of scope to limit the amount of information you know you're sharing, in order to make it harder for attackers to better target you. Below, we outline a few steps that your organisation can take to stop being so forthcoming with important data.
Meet the team pages
Meet the team pages are a great way to add personality and help build the brand of a company. They can also be an absolute treasure trove for those with malicious intent. If an attacker knows the names, job roles, personals interests, email addresses of your employees, then they can use this to craft targeted phishing emails or perhaps inform password guessing techniques for individuals. Limit this information.
As above, there's a lot of information out there on social media. By its nature, LinkedIn can be very forthcoming with employer/employee details, but any social media can reveal a lot of information. Review what's available on these sites - do you need to post details about recent contracts won/suppliers and partners? How do you do this?
You don't have to scrub everything clean, but be aware of what you're putting out there, and how it might be used against you.
What are others saying about you?
Be aware of what your partners, contractors and suppliers give away about you or your organisation online.
Try using multiple search engines to see what information you can find about yourself.
Use of employee credentials for 3rd party sites
This is specifically talking about using corporate email addresses to sign up for 3rd party services (e.g. Cloud storage providers, employee benefit schemes, open source software accounts). If these services are breached, and employees reuse passwords across accounts, then this can be a huge threat to your organisation. Leaked credentials like this can provide a simple way in for an attacker. In general, it's best to avoid using corporate emails to sign up to services where possible.
We have seen a few cases where developers have left important credentials on code repositories, or even hard-coded into websites etc.
This can have very dire consequences for all parties involved, so make sure that this not being done.
Scratching the surface
We believe that there's a healthy level of paranoia when it comes to this sort of stuff. There are a number of other things which you can consider in order to reduce your digital footprint, but the important thing is to be aware of what information about you and your organisation is readily available online. The above points are some quick wins, further guidance and links can be found on the NCSC website (Tip 5 in that entry) at https://www.ncsc.gov.uk/collection/small-business-guide/avoiding-phishing-attacks
Reporting helps build intelligence for law enforcement, which can aid investigations as well as informational campaigns to prevent others from becoming victims.
You need to report cyber crime to Action Fraud, which is the UK's national cyber crime reporting portal. You can report through phone (0300 123 2040) or on their website at https://www.actionfraud.police.uk
Remember, Action Fraud operate a 24/7 live cyber reporting line for organisations! Further details at https://www.actionfraud.police.uk/campaign/24-7-live-cyber-reporting-for-businesses