Cyberattackers often try to gain entry to critical IT systems through the various electronic entry points and backdoors left by the programmers who created them. Some hackers take the human approach, which can be much simpler, and attempt to get password and network access information by calling employees directly and impersonating their IT colleagues.
Recent cybersecurity breaches at Equifax, Chase, Target, and Yahoo have cost consumers and the companies hundreds of millions of dollars. Some chief executive officers (CEOs) and chief information officers (CIOs) at firms who have mismanaged the data protection part of their business have lost their jobs or resigned in disgrace. The need to protect important financial and customer information continues to be thwarted in seemingly small ways: an information “hatch” gets left open as programmers work on upgrades, repairs, or beta modules; passwords get posted online somehow; or the cyberattackers use social engineering over the phone or on the employee’s screen to get the access information they’re looking for.
Plenty of people get fooled by so-called “phishing” scams in which an e-mail comes to them looking like it’s directly from their bank, credit card company, Paypal, or even an official-looking threatening message from “the IRS.” It’s just as easy for hackers to create e-mails that replicate a company’s logo and message design and ask for their login and password information as part of “IT upgrades.” Every employee must be reminded not to respond to any suspicious phone calls and e-mails that come from outside the firm as opposed to more reliable internal Intranet-sent messages or phone calls that come from inside the company.
One example of a social engineering attempt aimed at a Jewish school was handled well by the school staff. A man called and asked, “I’m thinking of placing my 8-year-old in your school, and I’m worried about his safety. Can you tell me what kind of security you have to protect him?”
Ordinarily, perhaps, a typical school reception employee would be proud of the school’s focus on child safety and say, “Well, we have two security guards that work during the day and an overnight security guard. We have an alarm system in every classroom and our teachers are trained to move the kids into the classrooms and lock the doors if there is any type of lockdown emergency. We use volunteer parents, who patrol our parking lot and hallways. We have cameras everywhere and a panic alarm system in every classroom.”
What the school receptionist actually said was, “That’s a great question. We’re fully committed to keeping our students safe here. We’d love to set an appointment to have you and your son come down and meet our staff. You can fill out some paperwork that identifies you and your son and we’ll be glad to give you a brief tour.”
Besides not fully telling this man about the security in place—he could be a normal father looking for a school for his son, a potential school shooter, or a terrorist trying to gather information for a future attack—it creates a screening process. The point is, the receptionist didn’t know who she was speaking to, and her answers were perfect: Come here first, let us see your face and vet the information you give us, prove you have a child, then we’ll give you a tour of our campus that shows you some—but not all—of our security measures. If the caller never shows up, no harm done. If he does show up with or without his son the facility can adjust how much they tell or show him.
Through training reminders, rewards, and punishments for IT security policy deviations, we can shift away from an employee culture that continues to use 12345678 as passwords or gives information to strangers over the phone.