Secure Information Exchange - Whether It’s Data in Motion or at Rest

Who Can You Trust? Data Security Policy Put to the Test

August 5, 2010 at 3:35 am · Filed under Risk Management, Secure Information Exchange

By Johnny Wright

Do all employees within your organization know what information they can and can’t share with external parties? Do you think your business and IT leaders would know if they inadvertently exposed sensitive company data to malicious parties?

Last weekend these questions were put to the test. A contest was held at DEF CON 18 Hacking Conference in Las Vegas to see if contestants could successfully call employees at real organizations to collect sensitive corporate information. Of the 140 calls made, only 5 employees declined to give participants the information they were seeking. If the employees declined to provide any information, the contestant simply called a different employee at the same company until they received the information they were looking for. The contest forbid contestants from attempting to gain passwords, IP addresses or other sensitive data, and instead challenged them to obtain data that ranged from the contact info for the employee that handles a firm’s tape backups to the browser versions being used by employees at the organization.

What do these findings mean? In short, you can throw gobs of money at protecting your network and company data with a full-scale IT department and cutting-edge security tools and infrastructure; but if all of your employees are not properly trained and educated on corporate policy that aims to protect proprietary information, then your organization and your data are at grave risk to even the most novice of hackers. (I mean, in the example above, information was simply offered over the phone; there wasn’t any hacking involved!)

Organizations must make sure employees know what company information can and can’t be shared, and with whom. They should also know the means through which they should share this information, be it electronically, verbally or via snail mail. Any inadvertent sharing of sensitive data can have a significant negative impact to the company. Create, update and enforce policy to prepare your employees and protect your company!

11 Comments »

  Tweets that mention Secure Info Exchange » Who Can You Trust? Data Security Policy Put to the Test — Topsy.com wrote @ August 5th, 2010 at 7:25 pm

[...] This post was mentioned on Twitter by Lauren Dresnick, GlobalSCAPE. GlobalSCAPE said: Who Can You Trust? Data Security Policy Put to the Test – http://bit.ly/9kR6Ja [...]

  Offshore Software Development wrote @ August 6th, 2010 at 12:52 am

Employee training is one of the rudimentary tasks for every enterprises.

  Danny Lieberman wrote @ August 7th, 2010 at 12:56 pm

Good post.

I didn’t need DefCon to tell me that American employees are gullible. As an expert independent data security consultant operating in Europe and the Middle East – pretexting/phishing has always been one of the key threats we address with clients.

Conventional wisdom (fed by vendor advertising and marcom fodder) is that either that data breaches are caused by malware (if you are a anti virus vendor) or by trusted insiders (if your’e a DLP vendor). This is an unfortunate example of hammers looking for nails. The right thing for any company to do is to perform a data security threat analysis at least once/year and prioritize their data security countermeasures – employee awareness is just one of a long list of data security countermeasures that every company should adopt

Danny

  SP wrote @ August 10th, 2010 at 5:01 am

I totally agree with you on this. I am in the process of writing a new and improved Information Security Policy for our company and there is so much information you need to take into account. I know from previous experience that employees can give information away without even noticing that it can possibly be malicious. Great article and it gives a good insight into what lengths we need to go to in order to enforce this.

  Zzzoney wrote @ August 22nd, 2010 at 10:51 pm

Thankyou for your site , as it provided me with great information, for cyber-security proto, for the
Brussels super computer main quad core analysis/bridge.

  Johnny Wright wrote @ August 24th, 2010 at 7:25 pm

Thanks. It is not an easy task to keep all employees trained and updated on company policies, but someone has to do it.

  ThomasCharms wrote @ August 29th, 2010 at 4:09 am

I think this will help me so much!
Thanks!

  PCBA Assembly wrote @ August 30th, 2010 at 1:29 am

Yes,the security for sensitive information is hard to protects when the network is so universal.But even though it’s hard,we still need try our best to do it.

  Pandora wrote @ December 6th, 2010 at 9:10 am

employee awareness is just one of a long list of data security countermeasures that every company should adopt

  Sharron Clemons wrote @ December 21st, 2010 at 2:21 pm

[...] This post was mentioned on Twitter by Lauren Dresnick, GlobalSCAPE. GlobalSCAPE said: Who Can You Trust? Data Security Policy Put to the Test – http://bit.ly/9kR6Ja [...]

  Nona Mills wrote @ December 22nd, 2010 at 11:18 am

employee awareness is just one of a long list of data security countermeasures that every company should adopt

Your comment