A True, Unbelievable And Yet All Too Common Story

This is a true story.

There was an old wartime saying that ‘loose lips sink ships’. This essentially translates as, be careful what you say because you never know who you can trust or who is listening. This message has become so relevant again in a time when social engineering and careless insiders are the number 1 threat to cyber security in UK Law Firms.

Recently, and somewhat ironically, I took a train home from a Cyber Security Expo in London. I took a table seat and was shortly joined by two smartly dressed gentlemen who continued a conversation about a colleague at work. It quickly became apparent that the men worked closely together and very much had a relationship involving lots of bravado and name dropping. In the short space of five minutes, whilst trying my hardest not to look as though I was eavesdropping, I had managed to gather from the conversation that the men worked for a major UK bank (this was named in the conversation), in the corporate department. The slightly taller and louder man was a Sales Executive and the other working in a slightly junior position.

As the conversation continued, I learnt that the sales executive was married, the name of his wife including surname as he referred to her as Mrs x, that their 12th anniversary was on a date the following week. He had gone out with his friends on Saturday because his birthday never falls on a Saturday but it did last weekend.

At this point I have the man’s Full Name, Date of Birth, Occupation, Wife’s name, important dates to him along with the company he works for, the department he works in, his normal travel patterns, the name and job title of his boss and the names of his close friendship group. Luckily, I’m no social engineer.

The men then engaged me in a conversation where they asked the purpose of my journey. I told them I had visited a conference in London. They were curious about the subject matter, so I disclosed that I work in cyber security. This is the best part! The men then proceeded to tell me that they know loads about cyber security because they get so much training working for X major UK bank and that they know all about Malware, Phishing etc.

I told them that that was great but that the biggest threat to UK businesses now is careless insiders and travelling employees who seemingly and innocently reveal details about them and their company through loud conversations and open laptops. The men both laughed and agreed that people can be so silly these days. Now armed with that nugget of information and the fact that I have some Cyber Security knowledge, the men continued their conversation!

The men discussed how they were going to win their next major client who happened to be a very well known UK brand. The Sales Executive suggested that he would use a contact that he had at the company to make sure that they gained an advantage. He revealed that in a recent tender process for a company that he referred to by name, that an old school friend of his (again referred to by name), had assisted by revealing details of the other proposals and had a huge influence on this particular bank actually winning the contract. The value of the contract was also discussed during the conversation.

This all took place in a very busy train carriage even after I had joined their conversation and discussed the problem of employees talking loudly during travel.

Are your employees aware of the data breach issues such an innocent conversation could create?