Computerworld - Administrative staffers may not have their fingers on the pulse of business-critical operations, but they do get their hands on a lot of sensitive company information.
Executives often grant administrative assistants and record-keepers access to strategic data and correspondence to make their own lives easier. As a result, these well-meaning assistants are often targets of hackers, scammers and even espionage.
Up to 70% of IT breaches are internal in nature, according to Douglas Beaver, vice president, North America, at Asero Worldwide Inc., a Washington-based security consulting firm. In many cases, employees give out information accidentally.
Administrative staffers must guard against pretexting scams, which involve setting up a scenario to persuade a target to release information or perform an action.
"It's typically done over the phone," Beaver explains. "It's not as simple as a lie. The pretexter does some prior research and uses pieces of known information, such as a birth date or Social Security number, to establish legitimacy in the mind of the target." That information can include how to access systems, customer information or any variety of data.
"There's a lot of turnover in these positions, and generally it's a younger workforce," he says. "The inexperienced workforce is more prone to fall prey to pretexters."
IT's response: Beaver advises companies to train staffers on how to properly screen calls. Establish policies on what information they can or can't release, and retrain them with real-world examples on a regular basis.
In 2005, Israeli fraud investigators cracked a major espionage case in which several corporations hired private investigators to secretly install software on administrative staffs' PCs. The machines became infected by a Trojan horse that would steal financial information.
According to investigators, the hacker who created the program used two methods to plant his malicious software in the target computers. One was to send it via e-mail. The other was to send a disk to the target company that purported to contain a business proposal from a familiar firm that would arouse no suspicions. Then, when an employee loaded the disk to view the proposal, the Trojan horse would infect his computer.
IT's response: Make workers aware of the various methods of espionage. "Losing sales projections for next quarter is potentially much more damaging than getting a virus on the network that inconveniences the IT department," says Avishai Wool, chief technology officer at Algorithmic Security Inc., a firewall management company in Reston, Va.
Most administrative staffers are happy to pick up a few free items at a conference or trade show. But those disks and memory sticks can come loaded with software that could disrupt your systems.
IT's response: Set a policy discouraging employees from bringing these items to work. "If somebody gives you a free CD or DVD," even at a trade show or business conference, "don't plug it into your work computer," Wool says. "Definitely don't plug in USB sticks," because they can contain software that can launch automatically, he adds.
When administrative assistants are hired, the position might not call for a criminal or financial background check. But as they move up the corporate ladder, a clean record becomes more important.
Tell staffers that they should expect to be "revetted." They should keep their personal finances and police records spot-free.
"You have an administrative staffer working at a junior level who now has a credit card for booking travel. Or the CEO might have a massive expense account, and they're not going to notice if [the staffer] buys a computer to sell on eBay when paying the bill," says Bill Nichols, a senior consultant and practice leader at Control Risks Group Ltd. in Washington.
IT's response: Run occasional checks. Knowing that an employee hasn't committed a crime or gotten into financial difficulty since his initial hiring will reduce risk.
Next: 4 things your remote staff should know
Read more about Security in Computerworld's Security Topic Center.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
