Social Engineering techniques are being used by the unscrupulous to gain access to premises and assets, both online and offline. From being duped into giving your email password on the phone, to digging through your bins for discarded paperwork, there are many ways in which someone can compromise the security of your firm.
Social engineer Chris Hadnagy suggests that one should employ ‘critical thinking’ to deal with these social engineering attempts. Critical thinking means thinking twice about what you are doing or are being asked to do. Armed with this approach and a bit of preparation, you should able to ward off these ‘hacking’ attempts.
Securing the Office Perimeter
You should take practical steps to keep company assets secure, both real and digital. Here are some good examples:
- Make regular back-ups of your servers, store them on discs or tape and place them in a safe that is both waterproof and fireproof. It is also preferable for the safe to be off-site. Important company documentation and petty cash should be locked in a safe that is also fire and waterproof.
- Be aware that criminals may attempt to go through your dustbins, in order to find discarded documentation that could be used to give inside information to competitors or simply access to your bank accounts. It is a good idea to put your unwanted paperwork through a crosscutting shredder before throwing it away.
- Train your staff not to disclose sensitive information over the phone (bank account numbers, passwords etc), especially when receiving outside calls. Telephone scams where the caller pretends to be from the IT department and asks you to reset your password to the one he gives you are common. Imagine the chaos that would ensue if most of your staff fell for that one! The same goes for unsolicited emails.
- Hackers will be looking for old software such as FTP servers, PDF programmes and web browsers that have not been updated and are open to hacking. While ensuring that your entire company’s computers are regularly kept up-to-date may be expensive and time-consuming, it will keep your office safer in the long run.
Critical Thinking is Only Half the Battle
You may recognise the signs of social engineering and use critical thinking to be on your guard, but how do you react? Do you have procedures in place to effectively deal with an attack?
For example, if you have to dismiss a staff member, do not allow them to leave the office in their own. Ensure that someone oversees them clearing their desk, returning keys and leaving the premises promptly. This may seem harsh, but disgruntled ex-employees have been known to attempt acts of sabotage after receiving their marching orders.
Finally, identify what areas of potential ‘hacking’ your staff are weak on. For instance, they may keep their computers up to date and shred their unwanted documentation, but they could be indiscreet on the phone. Therefore tailor your training to address the weak points.