HR Information InsecuritySteal Our Data, Please
As a consultant, Accretive Solutions’ Mike Saylor has what might appear to be an unseemly, if not outright criminal, expertise. He’s a self-taught expert at slipping past security perimeters and checkpoints at business facilities and stealing sensitive data.
But it’s all good, because it’s the corporate victims themselves who enlist Saylor and Accretive, a New York-based firm that helps companies to identify and fix holes in their information defenses. Often, Saylor says, the vulnerability that he discovers and exploits isn’t a porous firewall or inadequate vetting procedures, but something even more insidious: basic human nature.
In one recent assignment, for example, Saylor was given the address of a Detroit debt collection agency, and instructions to obtain an assortment of personal credit reports stacked in a printer tray somewhere in the building. Saylor’s preliminary surveillance revealed that the business had elaborate defenses against intruders, including an entrance checkpoint where a receptionist screened visitors and verified they had appointments and interior ones that could be opened only with security badges.
So Saylor chose to exploit what he says usually is the weak link in corporate security: the human factor. He walked into the lobby playing the part of a typical preoccupied executive, talking on a cell phone, with a bunch of paperwork in one hand and a Big Gulp in the other.
“I got past the receptionist without even talking to her, and people just opened the doors for me, because they didn’t want to be rude,” Saylor recalls. “I made it past two secured areas, found the printer, and made it out of the building with 39 confidential credit histories. It took 12 minutes.”
Before becoming Accretive’s national security services director, Saylor worked as a personal bodyguard, a college computer science professor, and as chief security officer for a telecommunications firm, where he says he frequently worked with the FBI and other federal agencies on cybercrime investigations.
Saylor is adept at “pretext calling,” in which he utilizes bits of information gleaned from corporate Web sites and LinkedIn and Facebook profiles to trick employees into giving up restricted data or revealing procedures for obtaining it.
While corporate leaders may be most worried about Eastern European or Chinese hackers stealing their secrets via the Internet, Saylor says that they seldom realize how easy it is for an unauthorized person to walk off with a laptop full of sensitive data, or a stack of confidential papers. And given the current economic turmoil, the thief is increasingly likely to be someone on the inside.
“Employees who got laid off or who didn’t get a raise, malicious executives who didn’t get bonuses—all of these people know company processes and how to take advantage of them,” Saylor warns.
That’s why Saylor preaches to companies the importance of teaching all levels of the workforce what he calls “security awareness”—that is, not only to follow the procedures in the corporate rule book, but to continually, proactively be on the lookout for attempts to steal information, whether it’s by an outsider or a co-worker.
“If you see an unfamiliar person walking around, be sure to ask them who they are and whether they need any help,” Saylor says. “And know that that the IT department will never send you an e-mail asking for your password, or ask for it over the phone. If you get a request like that, alarms should go off.”
Workforce Management, February 2010, p. 3 -- Subscribe Now!