10 Tips To Deter Social Engineering
Only You Can Prevent Data Theft
Shawn Stewart
Mr. Stewart has 27 years of experience with hundreds of international, commercial, military, and government IT projects. He holds certifications with ISC2, Cisco, Microsoft, CompTIA, ITIL, Novell, and others. He has a Masters in Cybersecurity, a Bachelors in IT, a Minor in Professional Writing, and is a published author.
Most office spaces were not designed with security in mind. Multiple entry points, open corridors, and networks ports in unprotected areas are difficult to protect. Those with a single entry post a receptionist or operator as a gatekeeper thinking any human will deter a thief. Today’s Social Engineers are prepared for such challenges and most gatekeepers are not. Instead of dangling your receptionists as bait for the wolves, here are ten (10) changes you can make today to protect your business from physical cybercriminals.
Deter Network Access
A box the size of a credit card connected to a open port is all a threat actor needs to gain full access to most networks. Why spend time hacking Wi-Fi or firewalls when most offices have open network ports in the lobby or guest phones that connect into the corporate network? Guest Wi-Fi is also an outdated offering that leads to data breaches.
1. Start by only connecting or enabling switch ports to verified and active devices. This can physical, programmed on the switch, or, preferably, both. No physical access is best as some unpatched switches can be accessed even when the port is disabled in the software. Switches are the backbone of all data in a company. Access here means a clear path to every device on the network.
2. If guest access is required, segment all guest traffic away from corporate networks and straight to the Internet. Use a physically separated Internet circuit for Guest traffic and monitor it constantly. Block traffic to questionable sites and be sure all users agree to an acceptable use policy.
Deter Physical Access
Even if you are a 1-person chiropractic office, you have data that hackers want. Customer information, medical records, and credit card numbers can all fetch cash on the Dark Web. Read about the Dark Web here (Link). If I can simply walk into your office undeterred and sit down at your desk or plug in a secret device, then I will. Not every person walking in wearing a suit is a salesperson.
3. Secure your office doors and windows. Most door locks, even deadbolts, can be picked in a matter of seconds. Key card systems that use electromagnetic door locks are the best option, though they too can be by-passed. Cameras are also imperative as deterrents but also for evidence.
4. ALWAYS lock your computer screens when you walk away. Also, lock down any computer system in the lobby. You’d be surprised how often computers are just taken. How much of your data sits on that computer?
Deter Unwanted Visitors
A heavily trafficked office, especially by potential and current customers, is a positive sign for business. However, not all visitors are there for your benefit. With hackers posing as job applicants to infiltrate companies, a Help Wanted sign can be an open invitation. Read more here (Link).
5. All visitors should be escorted at all times when inside your office. While it may sound obvious, be sure all your doors and windows are locked and not unlocked or wedged open.
6. Trust but verify. Every person that enters your office should provide government-issued identification. Whoa! Isn’t that an invasion of privacy? If that person single-handedly closes your business, wouldn’t you like to know who it was? If you ask for ID, most hackers will show you a fake company badge or business card. Government ID is the only way to know the person is real. Yes, you can fake a driver’s license, but it’s not that easy. Guest logs are also imperative.
Don’t Give Away The Goods
Several companies have fallen victim to phone and email scams, allowing scammers to walk away with millions. The problem? Poor or missing policies.
7. All companies, even those with a single owner, need a policy regarding financial transactions and transfers. NO ONE should be able to transfer funds or provide a credit card without physical, in-person validation from the owner or board members. Deep fakes using live audio and video have fooled even top CFOs into transferring millions to scammers. Read how they did it here (Link).
8. Additional policies must prevent the transfer of files through email or upload without expressed written consent. Imagine the fine your small chiropractic office would face if you committed a HIPAA violation sending your private customer information to a hacker. Never believe anyone claiming to be a corporate authority through email or on the phone. Also verify any requests internally through known valid channels.
Everyone’s Job To Deter
Training is the key and not just for those who are at the front desk.
9. I’m not saying your receptionist needs to be a bulldog or honky-tonk bouncer, but they should have the mentality of a front-line defender. Never be afraid to question anyone in the lobby and never be afraid to call the authorities if someone is acting suspicious.
10. See something, say something. Every employee should be willing and able to question an unknown person in the office. Saying, “it’s not my place,” will have new meaning if you could have stopped a data thief and you find yourself unemployed.
You can call me paranoid and maybe even overbearing. But, these things are happening all around you (Link). As the economy continues to sour, theft continues to increase and data payouts are higher than a pawnshop. If your company data walks out the door, your business may go with it (Link). Aren’t you willing to do whatever it takes to prevent that from happening?
Need Help?
Reach out to us! We’re all in this together. Visit our contact page to submit an inquiry. Also, please follow us on social media for the latest updates.
Check Out Our Podcast!
The Hillbilly Hacker Podcast is the hottest new show on the Internet to learn about today’s latest technology in simple words. You can find the Hillbilly Hacker on Spotify, Apple, Amazon, or where ever you find your podcasts. (Link)