Andrew Newnham
By Andrew Newnham (Fruition Data)
When people think IT security they think firewalls, passwords and anti-virus. The problem is most people ignore the biggest risk to their IT security and data, the human risk.
It’s not enough to protect your data from threats over the web. You also need to provide training to all staff on understanding the importance of security, and how to identify unusual request be it via phone or email.
Now before you get paranoid about the true intentions of the next person who calls you, there are some very simple steps you and your employees can take to help ensure the security of your computer system.
1. Never give out passwords, account names or other private information to someone who calls “out of the blue”, no matter how authoritative they sound.
2. If they have a valid reason as to why the action should be taken ask to call them back. When you call them back always use a phone number from a public source such as the white pages. Do not use any phone numbers which the caller gives you as these can be fake. Also don’t rely on caller ID as this can also be faked.
3. Go with gut feeling. If they an employee feels that something is not right with a customer or suppliers request get them to report it to their manager before any action is taken. Make sure your company policies encourage this.
With a bit of education and training, you can feel confident that your company data is protected from attacks via the web, but also from attacks via the phone.
Canberra Small Business Blog 
The concept of passwords is dated, and there are ‘better’ policies which could be enforced in software to protect people from themselves.
If someone leaves a jar of pastel coloured candy and USB thumb drives, etc with a ribbon around it – even if the jar is not in the shape of a giant wooden horse – chances are staff will ‘play with’ the USB thumb drives.
This works in over 70% of scenario’s against ‘small businesses’.
It is far from the ‘only easy way’ to trick the ‘human risk’ into disclosing (without them even being aware they have) their passwords.
And no, this is not a ‘Trojan horse’ in the sense of computer virus attacks. This is much closer to the original concept.
[End]
Not to mention that the candy could be laced with poison, (or specific allergens* to target specific staff).
People just see pastel colours plus ribbon = trust.
[Negligence, Ignorance: I felt compelled to mention this, as the thumb drives could just be a decoy that people get trained to ignore, and I would ‘feel partially responsible’ if someone got sick or injured – bearing in mind the ‘above idea’ is not my own, it is ‘well published’].