As computer hacking becomes more prevalent, more and more companies are taking the time to deploy security technologies to protect themselves and their computer systems. While this action is to be commended and is certainly a step in the right direction, very little attention is given to the risk posed by individuals who utilize highly unethical practices to obtain unauthorized access to computer systems. These data thieves, called “social engineers” in the information security vernacular, use persuasive techniques in a manipulative and deceptive manner to steal data and personal, private or confidential information from businesses. Social engineers use the best qualities of company employees: helpfulness, teamwork and politeness, to gain access to a company. Kevin Mitnick, a veritable legend among hackers and social engineers, in his book “The Art of Intrusion” aptly described social engineering as “information security’s weakest link.”
A few years ago, Wired Magazine reported that hackers from around the world were repeatedly stealing customer information from a large internet service provider by simply asking for the information. According to the article, which is available here, one social engineer was able to obtain confidential account information merely by pretending to have recently undergone jaw surgery and mumbling the responses to security questions. Just last year, a large American payroll company released the names and personal information of about 10,000 brokerage clients to a social engineer impersonating a corporate officer (available here). Even more recently, a government audit discovered that almost 60% of IRS employees changed their computer passwords when requested by a caller simply claiming to be from technical support (available here).
In order to protect against social engineers, it is imperative that a business draft and enforce an information security policy and train its employees to understand and follow the policy. The attorneys at Gross & Romanick, P.C. work hard to stay abreast of the latest trends in the law and technology of information security. If your company needs help drafting an information security policy and/or needs instruction on how to help your employees understand the risks created by social engineers, hackers, crackers, phone phreaks or script kiddies, our lawyers can help.
