IT departments like to think of themselves as modern knights of old. They are there to protect their company’s networks from cyber attackers waiting at the walls for any opportunity to attack and steal the data on the other side. While it is true that a good security team can help to prevent attacks, it may come down to the common man in order to keep the network safe.
One attack vector that is difficult to plan for is social engineering. These are clever hackers who use the good nature and general lack of computer savvy average users have about complex computer security issues. Not only do these social engineering attacks come over the computer, but they can also take on other mundane forms. That is why employee education on these attack vectors is so important.
Smart users may be suspicious of a file on the desktop they didn’t put there, or of a link sent in an email. What about a flash drive lying in the hallway? A well-meaning employee, thinking that a coworker has lost their flash drive, will likely put the flash drive into their own computer to see if they can use any of the files on it to identify the owner. And then hackers have them. The flash drive was actually a delivery device that has now put malware or a monitoring program on the PC of the person who inadvertently allowed them access.
What about that visit from the copier repair man? Even if your office has an approved visitors list, a well-meaning employee might let in an official looking delivery person or repair man that didn’t appear on that list. Most people don’t expect that a hacker would be so bold as to show up, in person, to deliver an attack to the network. That is just what they are doing.
Make sure that you have a strict policy of escorting visitors at all time. Make sure that when a visitor shows up unannounced that the appointment is confirmed before you ever let that person in the building. Train your employees to notify security if they see someone they do not recognize moving about the building unescorted.
What’s old is new and this is truly the case with telephone attacks. In the past hackers would call up offices and convince well-meaning administrative assistants to connect them to long distance computer systems to avoid charges. Today hackers are using phones in a different way but to the same effective ends.
Train your employees to never give out passwords or other network information out over the phone. If phone assistance is needed, verify that the caller is indeed an employee before assisting with a password reset or other sensitive network actions.
If you need help with network security issues for your business, contact U.S. Computer Connection Today. And don’t miss our upcoming webinar on Social Engineering Fraud, happening March 24!