Social Engineering: What Your Business Needs to Know to Protect Itself
FEB 16, 2015 12:58 PM
A+ A A-

Social Engineering: What Your Business Needs to Know to Protect Itself

By Drew Hendricks

Social EngineeringA recent Jimmy Kimmel skit revealed a pressing issue facing businesses today: password security. Kimmel, armed with a microphone and camera crew, took to the streets of Hollywood to ask users about their passwords. Not only did people willingly hand over information about their passwords on national TV, but they clearly demonstrated another vulnerability. Pet names, children’s names, and dates remain the most popular inspirations for passwords, despite the fact that these are the worst passwords a person can choose.

Kimmel’s experiment showed that with a little information about a person, a hacker could gain entry to sensitive accounts like financial and healthcare insurance systems. This has led to a type of malicious activity known as social engineering, where a criminal uses the information a person willingly gives away to guess his passwords. Here are a few things a business can do to protect itself against an embarrassing data breach due to employee password behaviors.

Educate and inform

Thanks to social media, your employees are freely handing out information about themselves every day. Without even thinking about it, they give out pet names, anniversary dates, birthdays, and their favorite pastimes. It isn’t difficult to guess that a mom whose favorite hobby is quilting and whose birthday is January 12 has a password of quiltingmom011278.

While businesses aren’t likely to cure employees of their over-sharing tendencies overnight, a little education can go a long way. Without getting personal, point out the information a criminal can gather just by reading a person’s public Facebook posts. Also teach the basics of creating a complex, difficult-to-guess password that can’t be easily deciphered by cracking software.

Set strict password policies

No amount of education will completely eradicate password irresponsibility but fortunately, these policies can be required at the server level. Set up your systems to reject any password that doesn’t meet its requirements, which should be at least eight characters, not include the person’s name or the company name, include at least one uppercase and lowercase letter, and one special character (#, *, &, etc.). Your system should also reject any password that has been used by that employee before.

In addition to server-level policies, you should also have written policies that make it clear that passwords should not be shared with anyone but an authorized IT employee. Habits like leaving passwords on sticky notes under keyboards should be prohibited and IT workers should be trained to educate employees when they see this behavior happening.

Require signed security agreements

For an additional layer of protection, businesses should consider putting in place a computer use agreement for each employee. This agreement should emphasize that the employee is being granted the use of electronic equipment for work purposes and that this equipment should be used responsibly. This signed agreement can serve as proof that employees were aware of your organization’s policies at the time they began employment and agreed to take responsibility for their own actions.

Primarily, however, a signed agreement serves as a proactive measure in safeguarding your network. It outline each of your policies regarding Internet use and password safety and, since the employee is asked to sign it, it also makes clear that you put the responsibility on users to act responsibly while using your servers and devices.

Restrict access

At the server level, you should lock down access to the maximum amount necessary for each employee to do his job. Administrative access to servers and applications should be limited to as few people as possible. On a regular basis, have your IT administrators provide a report of your user accesses and review it to make sure rights have been changed as employee roles have changed within your organization.

In your office environment, you should also limit access to your employee offices, ideally through keycard-based entry systems that can be tracked. Any non-employees should be required to remain with an escort at all times. There are instances where hackers utilize a confidence trick to persuade employees to hand over the information a visitor needs to later infiltrate a business’s systems.

Social engineering may become a serious problem in businesses, but with a few precautionary measures, organizations can stay safe. By educating employees and putting the right security measures in place, businesses can protect themselves on all sides from embarrassing hacking incidents.

Drew Henricks is a freelance writer.

[%= name %]
[%= createDate %]
[%= comment %]
Share this:
Please login to enter a comment:

Computing Now Blogs
Business Intelligence
by Keith Peterson
Cloud Computing
A Cloud Blog: by Irena Bojanova
The Clear Cloud: by STC Cloud Computing
Computing Careers: by Lori Cameron
Display Technologies
Enterprise Solutions
Enterprise Thinking: by Josh Greenbaum
Healthcare Technologies
The Doctor Is In: Dr. Keith W. Vrbicky
Heterogeneous Systems
Hot Topics
NealNotes: by Neal Leavitt
Industry Trends
The Robotics Report: by Jeff Debrosse
Internet Of Things
Sensing IoT: by Irena Bojanova