Formal training procedures are essential to prevent staff from being tricked into revealing sensitive information about customers.
VANCOUVER—The Internet is an increasingly necessary, yet hazardous place to do business.
DOS Arrest iStock image
A growing number of consumer and business-to-business transactions are being processed online, making it more important than ever to have procedures in place to protect customer data against social engineering and hacking attempts.
“First and foremost, you need to make a game plan, identify the points of ingress into your organization that could be open to data theft,” advised Jag Bains, chief technology officer of Internet security firm, DOSarrest, based in Vancouver.
DOSarrest provides services ranging from vulnerability testing of web sites to security monitoring, to help prevent distributed denial of service (DDOS) attacks.
In the business world, front-line staff are more likely to be responsible for security leaks rather than hackers or high-tech government espionage, Bains noted.
Employees are vulnerable to a tactic called social engineering and it isn’t new. It occurs when an employee is somehow manipulated into disclosing personal information, such as credit card data or account information.
“Social engineering is one of the primary entry points for trying to access sensitive data,” Bains said.
In these cases, a person calls, pretends to be a legitimate customer and fishes for information until the employee divulges identifying data about a client that they can use, for example, to appropriate funds.
“This happens quite a bit. It’s probably more prevalent than someone trying to hack your web site,” he noted.
While all companies should have their web sites tested for vulnerabilities, they should also ensure they have procedures in place to properly vet callers.
“If someone is trying to ask for billing information, details on an individual, excessive questions focusing on unique criteria, it’s going to be a red flag,” he said. “Every customer should be vetted, every customer should be verified.”
Lack of training
Temporary employees are especially vulnerable to social engineering because they generally don’t receive proper training.
“You should be making a game plan and inventory and policies and procedures about how information flows across the phone system and the web,” Bains advised. “Don’t leave it to undocumented common knowledge.”
This includes developing and implementing formal polices and procedures—advice that applies to companies large and small.
Though small firms may be very familiar with their customers, it’s important to put policies in place early on, if there’s an intention to grow and scale the business, Bains said.
In addition to teaching employees to recognize and thwart social engineering attacks, companies should make sure their web sites are secure.
Hackers have developed tools to scan the web and simply “rattle the door,” to see if the system can be penetrated.
“The hacker may have come in and walked through your systems but discovered there aren’t enough points for posterity,” he said. In other words, the hacker wouldn’t win any points bragging to friends about the intrusion.
It’s also crucial to keep systems up-to-date because an unpatched Windows installation could be hacked within 12 seconds of going online, Bains said.
Keeping a security expert on-staff can be expensive, especially for small- to medium-sized businesses. They command fairly high salaries in the neighbourhood of $90,000 and $120,000.
Outsourcing the work to third-party security firms, or using cloud security providers, can be more affordable, he added.
Protecting customer data has become a lot more complicated, but it’s a necessary path for business security and customer confidence.
– Rebecca Reid
Photo: Copyright ©2013 iStockphoto LP