When you receive a telephone call at work from a stranger, what information do you give out? Phone calls are one of the easiest methods of losing information to your business competition, cyber criminals and identity thieves. Simple questions like, “What are the hot topics you’re working on these days?” or “Has your company been experiencing growth recently” or “So how many people do you have in your Los Angeles office?” all may seem like innocent questions, but when assembled with answers received from other sources, these small tidbits can be assembled into sensitive information like a puzzle.
Social engineering is a term that describes a non-technical kind of intrusion that relies on human interaction and often involves tricking people into breaking normal security protocols. Social engineers often rely on the inability of people to refuse a request for assistance, as well as their desire to help others.
Security professionals tend to focus on preventing the theft of intellectual property or personal information, but much of this type of loss occurs not because of theft but because of leakage. Little bits are given away by you or your employees 24/7. As employers, we look for the person who physically takes confidential documents or information about secret processes, but we fail to see that employees give away intellectual property by providing skillful interviewers with small slices of seemingly innocent information that can be reverse engineered into something of value.
An easy way to foil this type of activity is to create a policy that prohibits the release of any company information over the phone. If someone asks about personnel names, research data, company statistics or other similar information, the best response is to state that your company policy doesn’t allow information like that to be given out, however “…I’d be happy to take your name and phone number and have the right person call you back.” At that point you can channel the contact information to your communications director or similar appointee, who should be more familiar with the proper data that can be shared with the public.
Do you check references before saying anything to a new acquaintance that’s “in the same field as you?” You should. Do you call them back by phoning their company’s main number and going through the switchboard first to verify they actually work there? Also a good idea.
Education is the key. We must educate our employees (and ourselves) to recognize what is public information vs. private data, and realize that what may seem innocuous is really a vital piece of the puzzle.