In August of 2012, on a hot day in Las Vegas, a recently hired Walmart manager of government contract logistics spent 20 minutes on the phone with the store manager in a remote military town in Canada.
During those 20 minutes, the logistics manager took down vital information from the store manager in preparation for a big government contract: the store’s management schedule, their janitorial and cafeteria food contract providers, even the type of computer system the store manager used and what antivirus software it had installed.
The only problem is that the there was no government contract logistics manager. The call was part of a contest run by the hacker convention DefCon, and in 20 minutes, a contestant managed to get every piece of information he needed to rob the store, sell to competitors, or infiltrate their computer systems using nothing but a telephone and a few hours of research. This is social engineering, and hackers are increasingly using it to infiltrate businesses and steal their secrets for personal gain.
Here’s what they’re doing and how to protect your company:
- Protect Personal Contact Information — It’s good to put a public face on your company, but protect the private internal email and other contact information of senior employees. That contact info can be used to impersonate them.
- Give Information on A-Need-To-Know Basis — In the Walmart story, the information came from a store manager, but usually it’s a much lower employee who is infiltrated. Compartmentalize sensitive information to keep it from escaping.
- Formalize Information Channels — Sharing company secrets should never be done informally. Make sure a formal plan is in place for procedures on sharing company information. Social engineers will try to exploit informal structures to get more than they otherwise could.
- All Information Is Private Information, Or None Is — To a dedicated social engineer, even tiny pieces of private information can add up. Make sure you, as well as your staff, are aware that any information shared can go public quickly. Don’t share anything with anyone outside of the company that you wouldn’t feel comfortable putting on the front page of the New York Times.
- Record Outbound Contact — Because you can be sure that any social engineer working on your company is recording it also. Be sure to audit this record regularly to make sure that information is not getting out. This should include phone calls, emails, text messages, and similar.