How often do you hear about company personnel loosing data on the train, in a corner shop or even at the gym? Unfortunately, such incidents keep occurring on almost a daily basis. More worrying, however, is a recent revelation that many accidentally reveal passwords and user-names to anyone posing as a member of their organisation, for example, an IT support worker or a senior manager.
Shocking? Yes, it is. Some employees actually assume that anyone found within their office premises is a member of staff, whereas, the unfamiliar face in your office building asking you for confidential information could actually be an intruder with the sole aim of stealing information from you. Sometimes the impostor does not even have to go as far as being physically present in the office premises, a simple phone call could actually do the trick as proved by an experiment conducted at the BBC.
This act of gaining private information (for example, on a computer system) by a stranger pretending to be a legitimate person is termed as social engineering. Oftentimes, social engineering has been widely ignored in our society as a serious form of security attack; however, it can have very negative consequences on companies and individuals alike. Most times an attacker would appear respectable, claiming to be a member of the organisation and could even go as far as producing a form of identity to support his claims. Other times, he could take the cheaper route by simply checking the rubbish or even shoulder surfing.
Although some argue that this form of attack is not completely preventable, the following measures could assist in putting it under control.
- Unsolicited telephone calls, emails or visits should be handled with care especially when the individual appears to be interested in internal information. If in doubt, take every necessary measure to verify their identity.
- Organisations should invest more time and money in training employees about their network and security policies. Sometimes, it is actually the person who is most liable and not the infrastructure.
- Data leakage can also be reduced by limiting the number of private information about company staff that is made available on the company website as they could be used by hackers to plan a social engineering attack.
- Physical security is also important. Access to computing facilities and office premises should be restricted while the identity of contractors should be revealed to employees and security personnel.
- Wastes should be disposed properly and securely for example, by shredding paper documents. This would help to prevent dumpster diving.