According to the SC Magazine article, Reducing network breaches, between 178 -218 million user accounts, email addresses, token seed files or "records" were stolen from organizations by cyber theives from the published top six network breaches. That is pretty frightening!
How could this happen?? The article suggests that social engineering attempts are especially problematic. Years ago many people recieved the Nigerian email where a wealthy foreigner needs help moving money from his homeland and promises a reward for helping him. Things have gotten more sophisticated since the early scams such as the Nigerian scam. The article suggests that organizations need to provide continuous information to employees to warn them about providing information from unsolicited calls, email messages or visits asking for information. Some email messages requesting information appear to be legitimate or may offer a prize for providing information which may entice some folks to willingly give away valuable company information.
Thumb drives, wireless networks, smart phones, and laptops make life simpler for employees, but also can weaken the network perimter and safety of corporate information. The article suggests that smartcards using a credential management system be used to ensure a multilayered strong authentication protects access to corporate servers, VPN and cloud applications.
The protection of customer information is critical to the continued success of a company. PCI compliance will not guarantee 100% protection, but will provide a good place to start.
The bottom line is that employees are the first line of defense in social engineering attempts. American children are taught to help others and be friendly. The author encourages organizations to continuously remind employees to be skeptical of others asking for information. I would encourage employees not to unsolicited surveys. The best response to an unsolicited phone call requesting you to complete a survey is asking the caller to take you off his or her list. The caller has no way of knowing who the caller is, where the information is going or who the information might be sold to. Professional magazine subscriptions require a subscriber getting a free publication to provide certain information. If you don't read the publications, do not subscribe. If you read them, provide them the least amount of information possible. Never provide a co-workers name, title or email address. Most technical magazines are available at no cost on-line anyway.
We should all learn to be skeptical. Being skeptical is healthy. Most skeptical people wouldn't imagine why a rich Nigerian would need their help to move money and most skeptical folks wouldn't believe an email message from the US Postal Service asking for personal information so they could deliver a package to their facility. How the would the US Postal service have your email address? Answer: they wouldn't. It just takes a few minutes for us to think about the information. Does it make sense?
It will pay off to be skeptical.
References:
http://www.snopes.com/fraud/advancefee/nigeria.asp
No comments:
Post a Comment