Get yourself a sense of security
Production Journal

Securing your IT - and reputatiion
Whitehaven News

Cumbrian firms urged to be better prepared for floods
News and Star

Keeping newsroom information safe
Submitted to UK Press Gazette

Cumbrians must prepare for wave of Cyber Crime
Lake District Messenger

Can your web site be trusted?
Lake District Messenger

Production Journal August 2010

A new breed of criminal has become firmly established in our society. Termed social engineers, they combine the frightening combination of confidence trickery and technological know-how.

When was the last time a member of your staff was asked for confidential information over the phone?

Knowing your company is a target is your first defence against the profiling tactics that these fraudsters use.

They research the background of a company - and its staff - using all the commonplace tools that we have around us: Google, newspaper articles, social networking sites and even scan job adverts to find the skills required to join the IT department (which often contain lists of hardware and operating systems the company uses).

Such snippets of information contribute to a larger picture culminating in an attack. You would be wrong to prepare only for a hi-tech "cyber" attack - after all, why would a hacker go to all the trouble of circumventing your expensive Intrusion Prevention System when they could just call a new recruit in the office pretending to be from the IT department?

Picture the havoc that could be caused if a social engineer, posing as an IT technician, was to gain the confidence of a new recruit. Usernames and passwords could be innocently divulged and a list of commands entered that silently download malicious software. The imposter could also learn more about the network behind the "safety" of the firewall.

No firewall, Intrusion Detection System or method of password encryption will stop a social engineer from accessing your systems - the best way to mitigate the risk of a security breach is to combine the technology with security awareness training backed up by policies and procedures.

Companies that carry out security penetration testing (pretending to be hackers) state that their attempts to break into clients' computer systems using social engineering tactics are almost always successful.

Over many years working in newsrooms, I've lost count of the number of usernames and passwords I've seen stuck to employees' monitors. More worrying is the number of IP addresses and network diagrams that can be found stuck to IT department pin boards. These could all be seen and used by visitors to the premises.

Good security awareness training should:

• start on day one of the new recruit joining the company. Some companies actually don't allow their staff access to IT equipment, or have access to areas that contain sensitive information, until they have undergone security awareness training.
• involve the person. They are much more likely to pay attention if they know they are not just protecting corporate details but potentially their own confidential employee information.
• ensure everyone understands the reason behind the policy. Social engineers thrive on people using ignorance as an excuse.
• target the audience correctly - from cleaners not letting strangers into the building to the Chief Executive understanding the dangers of using the their corporate email address and password as facebook, linked in or paypal credentials.
• be informative, giving real life examples of current threats.
• extend beyond the office and influence how staff deal with sensitive information in general.
• be ongoing, inform of possible random spot checks and have the full commitment of senior management.

In a time of austerity with crime rates expected to rise, be on the alert to ensure your staff and company are prepared for the unexpected.