Sidebar: Security experts from both government and the private sector offer suggestions to protect your company from hackers using social engineering techniques to break into computer networks.
Editor's Note: This is a sidebar to Social Engineering: The Human Side of Hacking.
Hackers looking to disrupt business or steal corporate information are using social engineering techniques to break into computer networks. Security experts from both government and private businesses offer some suggestions to protect your company from these attacks:
Shred any phone lists, email lists or other important documents before recycling them or throwing them in the trash;
Give extra security training to the people on the company's perimeter -- security guards, help desk workers, receptionists;
Pay help desk workers well and try to keep the turnover rate down. They have route access and a tremendous amount of power. Treat them with respect;
Put procedures in place that outline what to do if someone calls needing assistance with a password, user ID or other form of authentication;
Give the chief security officer access to top executives. Put him or her in the board room so security concerns are given the corporate attention they warrant;
Have a security assessment test performed and heed the recommendations. Make sure you test the company's ability to protect its environment, its ability to detect the attack and its ability to react and repel the attack;
-- Have the first test performed when the company is expecting it;
-- Do a blind test the second time around;
Train all of your employees and let them know they all have a role in protecting the company and that means they're protecting their own jobs;
Let employees know they don't have to be pushed around. If someone calls and tries to threaten them or confuse them, it should raise a red flag;
Remember to update training and train new employees as they come on board;
Set up policies for what can be discussed over the telephone, what can be discussed outside the building, what can be posted in news groups, what can be written in instant messages and what can be written in an email;
Don't forget the security basics, like never leaving a password on a sticky note on the computer monitor;
Encrypt information on desktops, laptops and PDAs;
Install cameras so you can see who is coming and going;
Use biometrics or electronic security badges to limit access to the building;
No one should hold the door open for anyone not showing proper ID;
Don't allow employees to leave email notification or voicemails alerting callers that they are away on a business trip or vacation. It sets up the replacement as a target.