Monday, August 18, 2008

Security Alert: Please Don't Give Out Company Secrets to...

While answering a somewhat vague phone call from someone this morning I was reminded of a security measure that was in place at a former employer.

From time to time we would receive email alerts, usually in batches, through the assistant to our VP, from the security team. The alert would state that someone purporting to be from company X was calling trying to get information from the company and that we should refer them straight to security if we should find ourselves talking to them. These things would come in batches, and the only change in the message was the company name, and often not by much.

The thing that always struck me as odd about the alerts is they instructed us to not give away proprietary information to people claiming to be from a specific company. Did that mean that it is ok to give away company secrets to people from other organizations? Also, could someone give good instructions on how to transfer a call?

If I were in charge of security I would do what I could to educate people on how they can be susceptible to social engineering and deception. Listen to this mp3 of the 2600 guys at The Last Hope, to hear how someone can us a phone to make people do things they wouldn't normally do.

I don't think that sending out every time someone tries to pretext the company that informs people to refer the pretexter to security is the worst way to handle threats, but I think it is reactive. The issue that I take with this method is that the people who have the ability to disclose information don't receive any training on how to identify callers of ill intent.

No comments: