“Punch me in the face repeatedly, please.”

“Punch me in the face repeatedly, please.”

3rd February 2020

That’s a ridiculous thing to say to anyone, isn’t it? You probably wouldn’t say this to your best friend let alone a criminal.

But you see, that’s the problem. You probably ARE saying this to criminals. You just don’t realise it.

Every person and every organisation has some sort of digital footprint and that digital footprint tells people who know how to look at it a lot about you. For people and organisations that don’t know what their digital footprint looks like, this is a big problem. Because your digital footprint is something you can’t see, hear, touch or feel you don’t know that criminals are trying to use it. You can’t feel them punching you in the face.

So if you can’t see, hear, touch or feel this problem, what can you do about it? The good news is that there is a lot you can do.

Let’s look at an example. Take Organisation X. They have been told by their IT company that moving to the cloud through Office 365 is the way to go and it’ll save them money. Out of all that technical mumbo jumbo, all they’ve heard is “cloud, save, money”. Saving money has suddenly become the objective of moving to the cloud. Nobody has even considered looking at any security and now that’s going to be an additional cost.

So, Organisation X moves to the cloud and without them realising, they are now telling the world that they are doing so. How? Through their digital footprint. Through their DNS records. The Internet’s Yellow Pages is telling the world what they’ve done.

Generally speaking, you can tell a lot about an organisation from how they’ve adopted Office 365. If they have the basic DNS records then you can pretty much guarantee that there’s no multi-factor authentication on their Office 365 setuup so that means all a criminal needs is a username and password and they are now in your network.

How easy is it to get usernames and passwords?

Well, if anyone isn’t aware of their digital footprint then it’s potentially very easy. A lack of awareness means that they probably aren’t checking to see if anyone they’ve given a username and password to has leaked that information somehow. As soon as the criminal sees the same password across a couple of different 3rd party leaks, they’ve got a good chance of getting in. Once they’re in, then the punching in the face starts. Except you don’t notice because you can’t see, hear, touch or feel it.

Thankfully, this is one of the easiest problems to overcome with two simple solutions to start with.

First and foremost, protect any online accounts you have with multi-factor authentication (MFA). This is usually free and involves downloading a free app such as Authy, Google Authenticator or Microsoft Authenticator, to name but a few. Once you’ve got that app, you can start setting up the app to provide a code when you log in and that’s usually as complicated as pointing your phone camera at code on your screen during the setup process. There’s nothing difficult about this and there’s zero cost to it. Even if you do have a huge digital footprint and your password is out in the wild, employing MFA usually means the criminals job is that much harder and they’ll go elsewhere.

Secondly, awareness of your own and, for business owners, your organisation’s digital footprint is critical. Knowing what is out there about you means that you’re wiser about how it can be used against you so you can make better decisions about handling your risks. Questions to ask about your social media presence (and staff use of social media), your DNS footprint, who you’re sharing web space with and how your suppliers are looking after you are all important things to be looking at but are simple and cheap to do.

Digital Footprint assessment is something we do a lot. If we’re looking at a potential new customer, we look at their digital footprint. If we’re onboarding a new supplier, we look at their digital footprint. If we’re working out how to attack a client who is undergoing testing, we look at the digital footprint. It is the key to a successful attack and a successful defensive strategy.

Is getting punched in the face a nice experience or something you’d invite willingly? Is it a daft idea to manage your digital footprint to reduce the ways that criminals could possibly start punching you? If the answer to both of these is a resounding “No” then let’s get to work! That’s what we’re here to help you with. That’s why you’re safer with us.

Written by Stuart Green - Managing Director