Rossander’s Security Reader

How many people have access to your desk when you’re not around?

I assume that your co-workers are basically good people. If they weren’t, you wouldn’t have hired them in the first place. Does that mean you know everything about them? Or would you be like so many on the news commenting after the fact that he/she “seemed like such a nice person”? It would be a wonderful world if we could trust every person we met. Unfortunately, even good people can fall prey to temptation.

You also need to worry about the people you didn’t hire. If you’re like most small offices, the landlord’s cleaning staff, contractors, visitors and many other outsiders have some degree of access to your space. And you generally have few assurances about who they are, what background checks were run or what supervision they receive.

You have to assume that people you can’t know have access to your space when you’re not around. Most of them are good people. Do what you can to help those honest people stay honest.

• Always turn off your computer at night. Don’t just lock the screen. If your IT team has set it up properly, extra protections will kick in when you shut the computer all the way down.
• If you have a laptop, lock up it in a desk drawer at night. Laptops, PDAs and mobile phones are high-theft devices. Don’t make it easy for the thief.
• If you have enough space, put away your paper files at night. Lock them in a desk drawer or filing cabinet. Even if the cabinet doesn’t lock, it will at least be more obvious when an unauthorized person is snooping though the files. It’s harder to tell when someone is snooping through the papers on top of your desk as they are “cleaning” it.
• If you can’t lock the papers up, at least put a cover sheet or blank page on the top of the pile to protect the confidential information from casual oversight.
• Make sure you collect papers off faxes and printers as soon as possible. Don’t leave them exposed to guests and others walking the halls.
• If you see something suspicious, call for help. If you have an internal security team, make sure everyone in the office knows how to contact them both during and after normal business hours. If your office’s immediate action drill is “call the police”, make sure they know how to do that, too.

It’s hard to believe that it’s almost Memorial Day and that people will start leaving for summer vacations soon. Please take appropriate precautions both before you leave and while you’re on your vacation to reduce your risk of fraud and identity theft.

Before you leave:

1. Clean out your wallet.
• Use traveler’s checks or credit cards for payment. Leave your checkbook at home.
• Leave your debit card(s) at home. Under federal law, your liability is limited if your credit card is misused. If your debit card is stolen, you could lose all the money in your checking account.
• Take an ATM card that does not have debit card privileges. Your bank should be able to issue you an "ATM only" card.
• Never carry your Social Security card in your wallet.
• Leave any unneeded credit cards and any other unnecessary documents at home.
2. Photocopy your wallet and keep the copy in a safe place. If your wallet is stolen, the copies will tell you who to call to get your cards canceled. Note: If you will be gone for a long time, consider leaving a copy with someone you trust who can help you cancel the cards while you’re still on the road.
3. Stop your newspaper delivery and have the Post Office hold your mail (or ask a trusted neighbor to collect them for you). The bills and account statements in your unlocked mailbox are a goldmine for an identity thief. And the packages and newspapers piling up on your front step are a sure sign to a burglar that you are away.

While on your vacation:

• Don’t leave your wallet, passport or any identifying documents in your hotel room unattended. Use the hotel safe if it’s available.
• Keep your identity document (passport or drivers license) separate from your wallet. Carry a photocopy of the first two pages of your passport in a third pocket whenever traveling abroad.
• Guard your credit card receipts and rental car agreements, especially if they contain your full credit card number or driver’s license number.
• Use ATMs at banks or credit unions and which are in well-lit areas.
• If you are taking your laptop with you, be very careful when using it for on-line banking and other password-protected services, especially if you are connecting to a wireless hotspot.
• Be equally cautious of cyber-cafes and other public-access internet facilities. Anyone could have left a keystroke logger on the machine in order to capture your ID and password.

By the way, there will be no InfoSec Tip next week. Have a safe holiday.

If you’re in a business, train your team to ask strangers "Hi. How can I help you?"

The wording of the question is important. "Can I help you?" gives the person the opportunity to say "no." The word "how" quietly forces the person to state a purpose. If he/she is unable to answer this question easily, that is a tip-off that the person could be up to no good. Be polite and personable but don’t let strangers go unchallenged.

Make sure you teach your team what to do when someone strikes them as suspicious. If the person claims to have forgotten an ID badge, have him/her escorted to your main entrance to be properly signed in. Likewise, if the person claims to be law enforcement, escort him/her to your Security Office so that credentials can be verified. Remember, badges can be faked.

My brother-in-law had his wallet stolen over the weekend. In the interest of learning from the misfortunes of others, here are some things to think about.

1. Never, never, never carry your Social Security card in your wallet.
2. Photocopy your wallet about once a year. Lay the contents out on a copier (front and back) so you have a record of all the cards and contact numbers.
3. Only carry the cards that you use on a regular basis. Leave the rest in a safe place at home. If you have bills set up to auto-pay by credit card, use a card that you leave home. Otherwise, you’ll have to change all those accounts when the card is cancelled.
4. When your wallet is lost or stolen, immediately call the financial institutions and start canceling the cards that were lost.
5. Call the three credit reporting agencies and put a fraud alert on your account. Consider putting a credit freeze on your account. (A fraud alert is free but must be renewed in 90 days. A credit freeze will typically cost $10 and requires extra effort to have lifted when you want to apply for credit legitimately but it provides somewhat better protection.)
6. If you haven’t reviewed your credit report lately, do it now. Follow the instructions at annualcreditreport.com.

Police advise men to keep the wallet in their front trouser pocket, not a jacket pocket and definitely not a rear pocket. Police advise women to keep their purse with them and to carry it on their strong-hand side (if you’re right-handed, carry it on your right shoulder).

If you’re traveling, keep your identity document (passport or drivers license) separate from your wallet. Carry a photocopy of the first two pages of your passport in a third pocket whenever traveling abroad.

No, I’m not talking about the Browns fans drinking in the parking lot. I’m not even talking about the road-ragers who think that we’ll drive differently just because they’re close enough to read the fine print on your license plate renewal sticker.

The tailgaters we need to worry about at work are the neatly-dressed people who quietly walk up behind us and expect us to politely hold the door even though they have no right to be in our building. Tailgating is the art of acting like you belong and of using social pressure to convince people to ignore their own rules and policies. Tailgaters practice coming up behind you with just the right balance of professionalism and distractedness so that you believe that they belong. Good tailgaters come prepared with a plausible excuse why you should "be a nice guy" and break the rules – “It’s raining “, “My arms are full”, “I forgot it in my desk last night”, etc. There is no way to identify a scammer just by looking at him or her.

Tailgaters represent a real risk for your organization. Once in the building, they can steal information, compromise systems or worse. If the intruder is a disgruntled claimant, a former employee or a significant other, they could be attempting to get into the building for violent reasons.

Whatever your entry control procedures are, you should have a strict “no tailgating” policy. Do not let staff hold the door for anyone until you are sure that they are authorized to be in the area. If your building uses security badges and someone tries to follow you through a controlled door, demand to see their badge. If they are a visitor, politely escort them to your main entrance and get them properly signed in. (You do have a Visitor’s Log, of course. If not, here’s a template you can use. Visitor Logs are surprisingly effective at deflecting these criminals to other, easier targets.)

You also need to know what your office’s emergency reaction plan is before someone forces their way in. Know who to call and how to report the breach. Don’t put yourself in harm’s way but do not allow the intruder to wander your halls unchallenged.