Three V’s of Security Awareness
As much as we might like to, we do not always get to know all our coworkers well. We have all had the experience of bumping into a fellow employee with whom we are unfamiliar in the office. You may hesitate to address them, but this is an instinct to avoid. A malicious actor attempting to gain access to on-site resources may pose as a fellow employee complete with badge, a delivery driver, a maintenance worker, or any of an assortment of roles that could have a plausible reason to be in your office.
Never accept an unscheduled or unsolicited visitor’s word alone. They may know the name of your facilities manager and say they are authorized to do the work, but they could have acquired the information from a public source. Always verify with the proper person or department that the visitor was scheduled and is indeed meant to be there. If they are not scheduled or expected they should not be given any access a non-employee would not have. There may be a valid reason for their visit, but every visitor’s identity should be verified before being allowed to conduct any work, even if they appear to be a legitimate service.
An attacker need not always interact with your office’s computers to gain information. They may find a desk with passwords on Post-it notes, or other sensitive documents left in clear view. A clean desk policy is important for just such reasons. Our own social engineers have found tax IDs, Social Security numbers, and other confidential information during tests that should have been either locked up or shredded. Even without access to the office’s network they were certainly able to access sensitive information on-site with a plausible cover story. In short, if someone unfamiliar is seemingly wandering around your office, vocalize it to a manager or security immediately. It is easy enough to buy a small step ladder and coveralls to look the part, so stay vigilant.
Remembering these three V’s will help you serve as a Vanguard against scammers, protecting both your business and your customers.
Verify – Check that the visitor is authorized and scheduled to be there. Make certain that the proper people and departments have been notified about any work that they are there to do. If you are unsure, always ask. Check identification and verify that they are indeed from the company they claim to be.
Vocalize – If there is an unauthorized visitor in your office make sure the proper people and departments are made aware. Have an incident response plan that clearly defines what employees should do when an unexpected visitor arrives.
Vigilance – Practice security awareness every day to build good habits. Ensure that employees are trained on the current visitor policy and that their training is regularly tested.