When you mention "information security" nowadays to most company executives, their eyes glaze over either because they are expecting a stream of geek-speak to spew forth or because it causes them a massive headache to even think about. I've given a couple talks recently about what companies in various industries can do to help keep their information and trade secrets from being released into the general public (including a presentation at a conference by the American Conference Institute on Clinical Trials, held last month in NYC, and which will be held again in September in San Diego - check the American Conference site or email me for more details), and it's become really clear that many companies don't realize that they can probably stop 70% of attempts to retrieve confidential information by following a couple very basic, very cheap tips.
So here are just a few tips that any company can implement and for which the cost will be pretty darn low:
1. Check Your Attitude. There are some companies that still, amazingly, believe that "ah ... those punk hackers will never try to attack me - there's nothing here they'd want." Balderdash. Every company must quit that attitude. Almost every company keeps names, addresses, and possibly phone numbers and SSNs or other information somewhere in a file, for employees, customers or others involved with the company, that thieves could use as valuable information to steal an identity. It doesn't take that much to pretend to be someone else and end up ruining credit, stealing money or just making mischief and mayhem. If your organization seems to have this attitude, you'd be wise to try to stop it, because it could be YOUR information they take next. There are some fairly inexpensive firewall programs that companies can implement just to keep out the lazy hackers (and there are a lot of those), as well as just paying attention to some of the following tips.
2. Check Your Website. Do a regular, periodic check on what is available on your company's website and intranet pages and institute a policy that no documents that should be confidential should be on any URL connected with the public website (and the intranet, unless you are 100% sure it's secure). This should include all pages readily available to the public by clicking on links as well as "hidden" pages that are supposedly only accessible to "those in the know," who have been told of a page that has been uploaded so that certain people can see it if they know the URL. It's amazing what companies will have uploaded and not even realize it, and what stays uploaded. I've seen people, who are much more skilled than me, find marketing plans, business plans, customer lists, etc., from websites where the company probably thought "oh, no one will try to find this, we'll upload it for 5 days to allow the committee to see it and then take it down." Inevitably, someone forgets to take it down or it's somehow been cached on the net or problems with your company's website just keep it available. This wasn't even a "hack" - this was information that the company itself had left out there, waiting to be retrieved by someone who knows the kind of search to run on a search engine.
A friend of mine, John Christiansen (an IT lawyer in Seattle) recently participated in a contest called the "Google Hack." The teams had 45 minutes to gain as many points as possible, with points gained by just using the Google search engine to find names, addresses, DOBs, SSNs, etc. The results were downright scary. Within 45 minutes, John and his team blew away the competition, garnering 190,000,000 points, as well as discovering several databases with SSNs, credit card numbers, and other pertinent information that make identity thieves giggle with glee. Another tip that was gleaned from this competition appears at the end of my list. This competition was a scary eyeopener into how people who are just a little more skilled than the average Joe can turn up very valuable information that you would likely rather never, ever see on the Internet.
3. Change Passwords. There are two basic categories of enemies that every company faces - the "attacking outsider" and the "trusted insider." Regarding the insiders, your employees or others that you grant access to aren't necessarily trying to undermine your company and its information or security. But we're humans and we make mistakes. My first tip to make sure the insider isn't giving away your information (or helping to give it away) is to force your employees to change their passwords every couple months. I know, it's a pain. No one likes to do it - we have passwords for nearly everything we do nowadays and memorizing all of them is a pain unless you have a natural aptitude for that. But this is just so basic for preventing repeated attacks. Once a hacker figures out a person's password, they'll keep using it again and again and again until the password doesn't work, and then they'll generally move on to the next potential victim. Also, making them change their passwords often makes most employees realize (at least a little more) that the company really values its privacy and security - they''re constantly reminded of it.
4. Newsletter. Which leads me to the next tip. You shouldn't bombard your fellow employees with a huge dump of information about security and then never mention it again. Start a program that spans the HR, IT and communications departments of your company and have an email or hard copy letter that comes out every so often, reminding people to change passwords and that has one more tip from the company about improving security. Remind them in this letter that by following those tips, they actually improve their own personal information security (after all, if someone is able to get into certain files and retrieve the SSNs of employees, those employees may be toast while the company isn't as affected). Word the notice so that it emphasizes how much the company cares about protecting its own information (and, hence, the company's value and existence) and protecting its employees' information.
5. Social Engineering - Train Your Employees. Again, one of the weakest links in any company's security program is its own employees. The British Computer Society ran a couple simple experiments to see how easily people would give up their personal information. In one such test, they gave a class of students in a computer security course (!) an "orientiation form," which asked them to provide their logon userid and password, mother's maiden name, dad's occupation, etc. Most of the students provided all of that information, and only a few either didn't fill those out or provided just partial information. In another experiment, they staked out Waterloo Station in London, and approached 170 office workers, asking for his/her password. 35% said "sure." Another 44% said "here's my password" when they were then offered a chocolate bar. So in all, 79% of the workers were perfetly comfortable just giving out a password. Now, the experimenters might not have known other info that would have let them immediately hack those employees' systems, but it does tend to show that it's way too easy for people to be smooth-talked into giving out information.
Train your employees to never give out their passwords to anyone except perhaps someone they know for an absolute fact is in the IT department. They shouldn't even give it out to a fellow worker (remember the AOL employee who sold 90,000,000 AOL email addresses to spammers? He gathered all the addresses by using a colleague's password to get to the lists). If someone calls or approaches them and asks for some sort of information about a company and their "spider senses" tingle, they should be trained to say to that caller "this is a busy time, can I get your name and number and call you back in a few minutes to discuss this?" Most thieves who are trying to get information will turn and run.
6. Don't Ask For, Give Out or Publish Your or Another's SSN - and train your employees not to do so. It's amazing how many companies still use SSNs as identification numbers for their employees or customers. Don't. Do. That. Unfortunately, this information is still way too easy to find. Use a random number system. It might be a bit of a pain, but right now, it's just foolhardy to use a SSN as an ID number (it's also against CA law to force customers to give an SSN in order to access a website or page). Let's take back the SSN and stop the madness and identity theft. In 99% of the cases where you are asked for your SSN, it's really NOT needed. Except for you and your employer, your SSN should not be asked for. A health insurance company asks for it on the application? Make them explain to you why they need it. They don't. There are other ways for them to verify identity. Your video rental company wants it? Too bad. Get in the habit of NOT giving it out or making them give you a REALLY good reason to need it.
Conversely, think about what information you ask for from your customers. Do you really need that? Are you really using it? Or did it just sound good to ask for it? If you do not need it, don't collect it - it's just more information that you could inadvertently release to the Internet/public and that could get you in trouble.
From the contest mentioned in tip #2 above, the contestants found CV's where the people had listed their SSNs, spouses and children. I hope your jaw also just dropped. There is simply no reason to put an SSN on a CV, nor your spouse's or childrens' names (unless you're trying to capitalize on that? It doesn't make you look "more human," as some have tried to explain to me ... you actually look less professional, IMO, and a CV is supposed to be professional).
Those are the really easy tips. In future posts (so this isn't wastefully long), I'll post tips that might be a bit more complicated. If you implement some of these (along with the firewalls and anti-virus/malware software that you have), you'll likely go a very long way to improving your company's and your own information security. Oh - and a shredder. It's hard to make every employee shred every document (nor is that really needed), but start thinking about what really should be shred - dumpster diving does occur still.
Comments