August 2009

It can be an official looking internal document that lures your employee to follow certain instructions, or an email from an attacker who befriended your employee on a social network site like Twitter or Facebook in which they deceive them into checking out a link they sent. Little do they know it’s a trap that will expose your business data.

Earlier this year, an online scammer made off with Social Security numbers after sending a virus to a computer at the Department of Human Services office in Coos Bay. An email was sent to multiple employees within the department but only one clicked on the link, which then downloaded an application that recorded keystrokes and sent them to an external address.

MTV Networks was also breached when an employee’s computer was compromised through an internet connection. Experts said an employee may have fallen victim to a social engineering trick that allowed a trojan to be installed on their machine. Data included the names, Social Security numbers, birth dates and salaries of around 5,000 employees.

Spear phishing corporate executives heightened during April of last year. The New York Times reported that “thousands of high-ranking executives across the country have been receiving e-mail messages this week that appear to be official subpoenas from the United States District Court in San Diego. Each message includes the executive’s name, company and phone number, and commands the recipient to appear before a grand jury in a civil case.”

Another way to gain access to valuable company data is by physical access. Most people are not confrontational and typically want to be helpful. Attackers prey on this basic human behavior. Many times NCX Group has gained access to server rooms by relying on the helpful nature of employees. We have discovered through our physical assessments that access to critical areas are especially easy during times of upheaval or disarray within an organization. If you are in the middle of construction, people typically become desensitized to having unknown people working within their building and tend to let their guard down. Downsizing can also be very distractive to employees as they aim to be more accommodating and helpful, thinking it might affect their job longevity.

Financial institutions are particularly vulnerable because the financial industry remains in flux. Many employees are anxious about their future employment and the stability of their institution, which could lure them into clicking on links in emails to learn more. These emails are ripe for the clicking and employees need to be very cautious when accessing any link. Physical security at financial institutions may lax during these times, too. Again, the willingness to be helpful or accommodating without following the proper security procedures can put your company at risk.

Beware of changes within the business that distract from normal working conditions. Know your business culture and keep your guard up when times are chaotic.

Your only defense is to ensure your employees have a critical understanding and vital role in protecting your information assets. This is accomplished by maintaining good policies and procedures and conducting frequent and regularly scheduled security training awareness classes. Repetition will help employees follow protocol and security measures. More eyes knowing what to watch for and being alert to deceptive tactics can keep your information safe and away from thieves.

NCX Group welcomes the opportunity to provide security awareness training for your organization. For a free consultation on how our experts can help you secure your data at a price that will fit your budget, `call us at 888-448-5451 or request a representative to call you.

NCX Group, Inc. is a leading information risk management firm specializing in the assessment and mitigation of risk associated with today’s technologies and business processes.