So, as we discussed, social engineering is usually the weakest link in document and IT security.
Our virtual dataroom clients frequently ask us for advice or best practices to fight social engineering. Here are the top 6 we tell them:
1.Protect Your Passwords
This sounds like a no-brainer, but it’s not as straightforward as it sounds. People regularly give out passwords without realizing it, for reasons such as receiving a text message from the “boss” saying he has forgotten his password and can’t access his information while in an important meeting. Make it a rule for no-one to disclose a password ever, under any circumstances whatsoever. If a password is mislaid, follow secure protocols for resetting it and creating a new one.
2. Educate Your Staff
Employee indiscretion is one of the primary ways social engineers get access to data, so train your staff not to fall victim to scams. They should never provide access to any information without the proper credentials, regardless of whom they think the person is or the reason they are given for doing so. Emails and telephone calls aren’t sufficient proof of identity. Remember when the Duchess of Cambridge was in hospital and an Australian reporter phoned for an update on her condition, pretending to be the Queen? That incident showed just how easy it is to convince someone to give out confidential information.
3. Lock Your Computer
Never leave your computer unlocked and unattended while you step away from your desk. A second or two is all it takes for a vigilant social engineer who knows the way around your network to access your passwords or plant malware that feeds him information. From virus software to keystroke loggers, if your computer is accessed it can become an open gateway to your confidential information, even if it’s stored securely in virtual data rooms.
4. Skip the Out-of-Office
You wouldn’t post a notice on your home front door telling would-be burglars you’re out of town, would you? So why use an out-of-office auto responder for business? This kind of response not only advertises your absence, it often gives social engineers access to information they can use to impersonate you. It’s better to notify important contacts privately prior to going away or to forward messages to an alternative contact person to handle.
5. Nip Politeness in the Bud
Politeness is at the root of one of the most overlooked aspects of physical security. One “polite” employee who opens the door for an unauthorised person to enter the premises can provide access to the most secure virtual data rooms. Nip politeness in the bud by educating your staff in the risks associated with this kind of oversight, before it happens. Rather let visitors wait in reception under the watchful eye of your frontline staff than unattended in an office. The scheduled “vendor” who arrives early for a presentation could easily be someone using a ruse to get inside and access your systems.
6. Escort Visitors Out
The accepted rationale for escorting visitors when they are on your company premises is to help them find their way to the person they have come to see. This is often overlooked once regular visitors are familiar with the layout, or when someone is leaving after a meeting. The person then has the ideal opportunity to access data on any computer.