• Choose a category
• All
• Classic-Fiction

PREVENTING THE CON

From pawing through your trash to duping a security guard or receptionist, social engineers can physically invade your corporate space. But you’ll be glad to hear that there are preventive measures you can take.

Protection After Hours

All employees who arrive for work without their badges should be required to stop at the lobby desk or security office to obtain a temporary badge for the day. The incident in the first story of this chapter could have come to a much different conclusion if the company security guards had had a specific set of steps to follow when encountering anyone without the required employee badge.

For companies or areas within a company where security is not a high-level concern, it may not be important to insist that every person have a badge visible at all times. But in companies with sensitive areas, this should be a standard requirement, rigidly enforced. Employees must be trained and motivated to challenge people who do not display a badge, and higher-level employees must be taught to accept such challenges without causing embarrassment to the person who stops them.

Company policy should advise employees of the penalties for those who consistently fail to wear their badges; penalties might include sending the employee home for the day without pay, or a notation in his personnel file. Some companies institute a series of progressively more stringent penalties that may include reporting the problem to the person’s manager, then issuing a formal warning.

In addition, where there is sensitive information to protect, the company should establish procedures for authorizing people who need to visit during non-business hours. One solution: require that arrangements be made through corporate security or some other designated group. This group would routinely verify the identity of any employee calling to arrange an off-hours visit by a callback to the person’s supervisor or some other reasonably secure method.

Treating Trash with Respect

The Dumpster-diving story dug into the potential misuses of your corporate trash. The eight keys to wisdom regarding trash:

• Classify all sensitive information based on the degree of sensitivity.

• Establish company-wide procedures for discarding sensitive information.

• Insist that all sensitive information to be discarded first be shredded, and provide for a safe way for getting rid of important information on scraps of paper too small for shredding. Shredders must not be the low-end budget type, which turn out strips of paper that a determined attacker, given enough patience, can reassemble. Instead, they need to be the kind called cross-shredders, or those that render the output into useless pulp.

• Provide a way for rendering unusable or completely erasing computer media—floppy disks, Zip disks, CDs and DVDs used for storing files, removable tapes, old hard drives, and other computer media—before they are discarded. Remember that deleting files does not actually remove them; they can still be recovered—as Enron executives and many others have learned to their dismay. Merely dropping computer media in the trash is an invitation to your local friendly Dumpster diver. (See Chapter 16 for specific guidelines on disposal of media and devices.)

• Maintain an appropriate level of control over the selection of people on your cleaning crews, using background checks if appropriate.

• Remind employees periodically to think about the nature of the materials they are tossing into the trash.

• Lock trash Dumpsters.

• Use separate disposal containers for sensitive materials, and contract to have the materials disposed of by a bonded company that specializes in this work.

Saying Good-Bye to Employees

The point has been made earlier in these pages about the need for iron-clad procedures when a departing employee has had access to sensitive information, passwords, dial-in numbers, and the like. Your security procedures need