The Weakest Link

Information is power, and every company has confidential information that is at the heart of its business. Whether it’s customer information (credit card numbers, purchasing details), information regarding your computer systems (passwords, how to access your network), corporate financial data, trade secrets –or anything else – the thought of that data falling into the wrong hands or being made public is enough to make any businessperson tremble.

While the traditional emphasis of information security has been on technological solutions, security experts are increasingly looking to what they call the weak link in security – unsuspecting and trusting employees who inadvertently give out information. Firewalls, anti-virus software and software patch releases may protect information systems from hackers, but none of those defenses will protect the business when an employee willingly provides information to a seemingly innocent request.

The technique is known as “social engineering,” and hackers and thieves use it to bypass the complicated security technologies which protect sensitive information.

Small companies are particularly vulnerable because they tend to have less staff available to oversee security, and, as larger companies beef up security procedures, smaller companies look like easier targets.

Imitating an employee or vendor, or tricking an unsuspecting user into giving them the information needed to access the secure data, is easier than it seems. How, for instance, does a hacker get access to someone’s cell phone records? Someone will call into a wireless phone store and pretend to be from another store, unable to access an account. He’ll ask the co-worker to look up the information. No one wants to be unfriendly or unhelpful. What if they found themselves in the same situation someday? Once they receive the account number and customer address, intruders can access the customer’s online call records. Our research found that approximately 80% of employees will comply with this type of request.

Another technique involves the use of email or instant messaging. An address or user name that looks legitimate, or is very similar to the company’s own address, can be effective in tricking the recipient into replying with internal information or customer files. A third of the employees in companies we studied indicated they’d reply to emails with deceptively similar addresses with confidential information.

How can you protect your company against these types of leaks? Awareness, education and training are the three critical components of any information-protection strategy.

In educating and training staff, companies should emphasize that corporate information falls into three categories: public, internal and confidential. What information falls into each category varies from company to company, but some generalizations can be made: Examples of public information would include any data on a company’s website, or in brochures or informational handouts. Internal corporate information might include things like an employee directory or employee manual, or sales data. Information in the confidential category would include customer information, personal information about employees, IP addresses, or information about the firm’s computer systems. These classifications will prepare employees from the mailroom to the boardroom to recognize who has a right to the information.

Small business managers should consider developing and distributing an information sensitivity policy to employees: a template for one can be found on the website of the SANS Institute, a computer security training organization (www.sans.org).

Internal procedures should define how employees can verify the identities of customers, vendors, or co-workers before divulging sensitive information to them. Employees should also be instructed to carefully examine return email addresses before responding.

Employees should also be coached to recognize some of the signature techniques of social engineering so they’re equipped to deal with a manipulative caller. Social engineers often sound rushed or claim an emergency, drop the names of the top executives or owners of a company in an effort to invoke their authority, may try to intimidate the employee by threatening to report their uncooperativeness, and refuse to give contact information.

Training and education is an ongoing project: employees need to be reminded of the dangers of social engineering at least once a year. Learning how to protect your valuable information should have the highest priority in any small business.