COMPUTER SECURITY: THE HUMAN FACTOR
How to help protect your company from social engineering
To ensure your company’s computer systems are secure, you back up your data regularly, use robust passwords, promptly address any problems reported by your staff, register your software, install an antivirus application, have a disaster recovery plan in place, and use all other necessary measures. So, you’re all set, right? No — not until you consider that your biggest computer security threat could be you and your employees.
What is Social Engineering?
Social engineering is a form of intrusion into a computer security system through the people that operate it. Rather than breaking into systems using technology, social engineers gain the confidence of system users and then trick them into performing actions or divulging information that result in
a security breach. Social engineers rely on people’s natural inclination to trust others at their word and respond to authority, as well as their disinclination to appear paranoid. They also rely on key information seeming unimportant to those who hold it.
For example, a person posing as a company executive calls a system administrator, demanding that certain actions be performed immediately. The system administrator, intimidated by the person calling, complies, without checking the caller’s credentials. Before realizing the consequences, the system administrator divulges a password, leaks confidential information, or compromises
a network.
In another example, a person posing as an IT consultant walks into a company and makes requests of the receptionist. The receptionist, not wanting to appear paranoid, refrains from checking the “consultants credentials, and offers passwords and other information that lead to an attack.
Strategies for Foiling Social Engineers
Here are strategies to help avoid these threats:
• Do not share passwords with anyone other than known employees and company contractors. (Generally speaking, system administrators will not need your password. They will have their own.)
• Make it a policy that all IT professionals entering the premises must be accompanied by your company’s system administrator.
• Shred all documents containing specific information about the company, even if they are not “confidential,” per se. Such documents include calendars, organizational charts, contact lists, policy manuals, vacation lists, and so on.
• If someone claiming to be from a trusted outside source calls and requests information, insist on hanging up and calling back at the known number for that source.
• Do not follow instructions received in a suspicious email (such as following a link to a website, replying with your password, or running an attached executable file).
• Do not share information with anyone you don’t know who claims to be offering help on a known problem, especially if you’re not aware of the problem.
• Do not be afraid to check someone’s credentials. Anyone with a legitimate reason to be contacting you won’t mind.
Remember, social engineers rely on people’s inclination to trust, so learn to be just suspicious enough to outsmart them!