The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar



Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Saturday, March 05, 2005

Your security (and your company's reputation) rests in the hands of your employees 

I've blogged on this topic before (Better develop a "culture of privacy", Edmonton cops investigated for misusing law enforcement databases and Sorry, but implementing privacy laws may upset some customers.), but it bears repeating again and again and again.

You can have the right privacy policies. You can harden your network and your systems to ward off hackers. All this effort will be lost if your employees are not sesitized to think about privacy and security all the time. Train them to think about how they hold business and customer information in trust ... and to trust their instincts if anything feels weird.

CNet is reporting on a presentation given by Kevin Mitnick who knows first hand how easily exploited employees can be.

Mitnick: Security depends on workers' habits CNET

"Famed ex-hacker Kevin Mitnick is warning against security strategies that focus on technology. Rather, teaching your staff to say no will help keep your network secure, he says.


Many companies invest heavily in technologies to protect their networks, but Mitnick was quick to point out that even the tightest technological barriers never stopped him. Rather, some carefully planned social engineering--or even a bit of dumpster diving in one's spare time--can often be far more effective at penetrating the weakest security link at most companies: their people.

"What you can find in the trash is simply amazing," Mitnick said. "People throw out notes, drafts of letters, printouts of source code, printouts of project documentation they're working on. In some cases, they even write down passwords and access information, or calendars that list every person that person has talked to or met with."

This information provides invaluable assistance to hackers keen to worming their way into a company by, say, impersonating an employee and calling the internal help desk, or dropping in and pretending to be a business associate. Because people hate to say no, even when they're suspicious of a well-presented stranger, Mitnick says, smooth talking has gotten many a hacker far closer to a target company's network than brute-force technological attacks.


The solution to such security vulnerabilities is easy to understand but often hard to implement: Develop clear security policies for issues such as treatment of strangers, handling of information and access to physical facilities by visitors. Teach employees to fall back on those policies when they're in suspicious circumstances rather than trying to ad-lib their response or give in to their natural inclination to accommodate the hacker's requests.

Even a simple request for contact details, so that a company employee might call back the person requesting assistance, can be enough to make many hackers turn tail and run.

"We can't expect our employees to be human lie detectors," Mitnick said. "One of the most difficult challenges in corporate cultures is getting people to modify their politeness norms.

"Social psychology has found that people should generally pay attention to their own discomfort. If something doesn't feel right, or it's nagging at their gut, they'd better check it out. They're not always going to remember a security policy, but what you want is to come up with some very simple protocols that will trigger employees to refer to security policy. The only people who are going to object to this are the bad guys."

David Braue reports for ZDNet Australia."

Labels: ,

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs