5 things your receptionist should know about your company's data security

Spotlight

• Whodunit? Stop workers from leaking your data
• The receptionist
• Human resources people
• The facilities group
• Administrative staffers
• Remote staffers
• Salespeople
• How to spot a spy

Computerworld - Receptionists are at the front line of communication with customers and guests, which often makes them the first targets for hackers and saboteurs looking for company information.

Often young business neophytes, receptionists can be eager to show their competence, and they might inadvertently supply too much information to a persistent caller or visitor. They might also stave off boredom by checking their personal e-mail or surfing the Web. Here's what they need to know.

1. Don't trust strangers.

Social engineering scams -- where crooks extract information from victims through interaction and by building trust -- is on the rise, according to Bill Nichols, an information security consultant at Control Risks Group Ltd. in Washington. Receptionists represent a prime target because they have access to employees' phone numbers and home addresses and, in some cases, to company systems. The scammer gathers bits of information over time, becomes increasingly credible and eventually gains access or passwords. "That's a real situation that we see all the time," Nichols says.

IT's response: A clearly written policy should classify what information shouldn't be distributed. Access to financial or human resources databases, as well as to sensitive customer information, should be restricted. Receptionists should also be trained with real-world scenarios to learn how to respond to information requests.

2. Social networking sites can hold dangers.

Receptionists might kill some time by browsing their Facebook or MySpace accounts, watching an online video or downloading music. But malicious code can now be hidden in video streams, downloaded from YouTube or embedded in songs streamed from social-networking Web sites.

What's more, Web users often have no control over the audio or video they browse. "You can embed these media types directly into Web pages," said David Thiel, a consultant at iSec Partners Inc., an applications security consulting company in San Francisco, in a February webcast. "So for anybody who browses to a Web page, a lot of different media file types are launched automatically as background music or embedded video" without the user clicking on anything.

IT's response: Install a filtering proxy. IT departments can block access to social networking sites completely with firewall software. "But if you want to be more liberal and allow [access], use a filtering proxy to check what's coming across and get rid of the known nasty stuff," says Avishai Wool, chief technology officer at Algorithmic Security Inc., a firewall management company in Reston, Va. "You could also include mail filters on incoming and outgoing e-mail to strip out executable attachments. You don't want to be the deliverer of malware, either."

3. Peer-to-peer software creates legal risks.

For many employees, their PCs at work are more powerful than their home computers, and receptionists might want to take advantage of the ample bandwidth to download or share large files using peer-to-peer software like eMule, Kazaa and BitTornado. Problem is, that opens up the organization to potential legal risk.