Management must understand that all of the money they spend on software patches, security hardware, and audits will be a waste without modifying staff behaviour and their susceptibility to social engineering. So what countermeasures can we implement?
Firstly, policies - one of the advantages of policies is that they remove the responsibility of employees to make judgement calls regarding an attacker's requests. If the requested action is prohibited by policy, the employee has no choice but to deny the attacker's request.
You need to ensure that everyone shreds unwanted phone lists, email lists and other important documents. Some documents will obviously need to be locked away, so you must provide employees with sufficient lockable storage space to enable this. In the end, best practice is to have a clear desk policy which is enforceable and workable.
All staff must use screen savers with password controls and be instructed to lock their PC every time they leave their desk – opportunist access to unattended PCs is very common. Any sensitive information stored on desktops, laptops and PDAs must be encrypted. Smartphones and PDAs should have infrared and Bluetooth disabled by default and the organisation must have a policy restricting their use or the sensitivity of information stored on them.
Wireless LANs must be properly configured and tightly secured, whether in the office or at an employee’s home. Sensible guidelines must be issued to all staff regarding the risks of using wireless hotspots and Internet cafes. The organisation must ensure that all remote access is secured using VPNs and that no sensitive traffic, including e-mail, is transmitted anywhere in the clear.
A process and policy should exist to ensure that all hard disks, CDs and other media are physically destroyed rather than recycled or simply thrown away. A recent survey of 100 hard disks purchased on eBay and at car boot sales showed around 40% had sensitive data easily recoverable and a further 40% had not even been formatted.
This blog post is an excerpt of an opinion piece called “Identity Theft in The Corporate World” written by Peter Wood from First Base Technologies. You can find more about this security outfit at http://www.fbtechies.co.uk