The security manager receives a call from the front desk receptionist. She tells him that during lunch, the fill-in receptionist received a call from an individual who identified himself as a volunteer for Good Charity. The volunteer wanted to send an invitation for their annual fundraiser to the vice president, but he didn’t have the home address. He also asked for the correct spelling of the name of the vice president’s spouse. The fill-in receptionist knew that the vice president supported Good Charity, so she gave the volunteer the information. What would you do?
Provide training for the receptionist and other gatekeepers on providing seemingly innocuous information to unknown individuals. It is impossible to know what information could be useful to a competitor or another individual with malicious intent towards the organization. The target of an unsolicited call will probably not be obviously secret information, like company financial information or the secret recipe for a world-famous beverage. The target will be information that can be used to obtain more valuable information.
What information should be deemed private will vary for each organization. A general rule of thumb is not to share any information that would not be shared with a competitor or enemy. Another way to think of this is not to share any information that is not made public on your company’s website, advertising, or brochures. Another caution: don’t add details to information that is provided to the public. If publicly available information only lists the main company phone number, for example, don’t give out direct dial numbers. Other examples of sensitive information could include how the organization disposes of documents and other trash, the names of suppliers to the organization, how the visitor badge process works, what browser and operating system are most common at the organization, what email system is used, the virus protection software used, contact information for certain employees, hiring and termination processes, and other information.
The warning about personal information applies to all company employees, but especially gatekeepers such as receptionists, administrative assistants, and call centers. Be aware of callers with sense of urgency or a “problem” that needs to be fixed. Beware of someone claiming to be an authority with no credentials to back it up. Do not rely solely on caller ID as a means to identify the person on line because this information can be faked relatively easily or may not be present at all. Protect all information, not just information that is obviously “important.”
Plan. Protect. Prosper.
Protus3 specializes in security system design, security consulting, corporate investigations and other investigative services. Partner with Protus3 and we will examine each situation to identify threats and develop solutions for your best outcome.