Protect your agency from potential hackers
By Eric Johnson
Eastern Region Technology Representative
We've become accustomed to usernames, passwords, anti-virus software and firewalls implemented by our technology staff to keep our networks secure. But not all hackers use computer tricks to tap into protected systems - sometimes they just have to ask the right questions or be in a certain place at a certain time. That's why each employee, not just your tech team, plays a role in keeping your data safe.
"Social engineering" is the practice of getting computer security/access information by manipulating people rather than cracking codes on a computer. The first time I heard about social engineering, also called "over-the-shoulder security," was on a television program spotlighting a hacker convention. The audience listened as one presenter contacted a major computer company via telephone. During the conversation, relayed on a loud speaker, the presenter played the role of an employee as he contacted the help desk. After making small talk, the hacker said, "I can't find the number to Network Support. Do you have that number?" The employee gave the hacker the number as anticipated. While the demonstration ended here, in real life the hacker would continue contacting a variety of personnel to get data little by little until he acquired the access codes he was after.
As in the example, sometimes a hacker can simply ask for the information. Others may obtain it by getting ahold of passwords or even watching you enter a PIN, such as at an ATM machine or public telephone (thus the name "over-the-shoulder" security). In a more extreme case, a hacker actually recorded a CEO's voice and learned to mimic him. When the CEO was on vacation, the hacker phoned the CEO's assistant pretending to be her frantic boss who couldn't find his passwords. She divulged all information requested.
While most methods of social engineering are very time consuming, they have also proven to be remarkably effective. What would be the result if a disgruntled customer obtained your company site access codes? Could they submit erroneous business or provide account details to your competitors?
Electronic information is only as secure as users want it to be. Here are some tips to help make sure your valuable data is protected:
- Know your company's security precautions.
- Streamline all automation inquiries through one person to decrease the possibility of someone getting bits of information from several staff members.
- Always reset the password when an employee leaves your company.
- Be sure none of your carriers accept password reset requests from anyone other than the agency principal.
- Keep your access codes in a secure place and know how many lists are maintained.
- Be suspicious of anyone wanting detailed information about your system, even if they say they are from your Internet provider or support your management system.
- Encourage your staff to learn more about the deceptions practiced by hackers.
For more information visit the Computer Security Institute or The SANS Institute.
About the author: Eric Johnson, GC's Eastern Region technology representative, serves agents in Connecticut, Maryland, Massachusetts, New York and Pennsylvania. Eric joined the Company in 1997 as a customer service representative, later fulfilling the role of personal lines support manager until his promotion to technology representative.
For more information please contact Anne M. Smith.