Careless Talk Security

The Need to Know Principle means that you are provided with access to information and assets needed for you to do your job. No more – no less!!

What Is Meant By Careless Talk and Social Engineering?

Careless Talk means:

• Talking about business, the office, and people from work, etc where you can be overheard.
• Discussing business with people who are not authorized to know.

Careless talk also means providing sensitive information inadvertently to someone who wants it for a specific purpose such as breaking into the corporate premises or computer systems.

This is called Social Engineering.

Avoiding Careless Talk

If you follow the tips in this brochure you will be able to avoid Careless Talk and learn how to be discreet.

Need To Know Principle

The Need to Know Principle means that you are provided with access to information and assets needed for you to do your job. No more – no less!!

Important tips to remember about the Need to Know Principle:

• Not everyone has the same access level to information as you.
• You should not exceed your level without permission.
• Don’t provide information to anyone else without authorization.

Careless Talk

Before you talk to someone about your work and the corporate business you should ask yourself the following question:

Does this person have a defined ‘Need to Know’?

If they don’t have a Need to Know, then you should not talk to them about information they should not hear.

Public Places

If you are discussing business in a public place, such as a café or pub, think about the following:

• How sensitive is the information being discussed?
• Should you be talking in a public place or can your conversation wait until you get back to the office?
• Can anyone overhear you?

Gossip and Personal Confidences

If you are talking about other colleagues you should consider the following:

• Is the conversation appropriate for a professional such as you?
• Can anyone overhear you?
• Are you breaching a confidence?

Remember, spreading rumors can be very damaging to the morale of the corporate and can be hurtful to the person/s concerned.

Social Engineering

There are people across the World who obtain illegal access to business premises and computer systems by finding out everything they can about the security and the business processes in place.

They do this so they can steal information or assets, copy or destroy information, and for other reasons, such as:

• Money (committing fraud, either paid or unpaid),
• Seeking knowledge for competitor’s companies,
• Malicious intent,
• disgruntlement with the corporate,
• and sometimes, just because they can.

How Do They Do This

• A Social Engineer may ring you and pose as a person from your IT Department or Help Desk and ask you for your User ID, password or other questions relating to the IT network and security systems.
• A Social Engineer may organize to meet you outside of your work environment and ask you questions about what you do and how the corporate does things.
• A Social Engineer may overhear a business sensitive conversation.
• A Social Engineer may even ask to see your security access card/token or your ID card (if you have one).

What Do I Do If This Happens To Me?

If someone approaches you, or telephones you, and asks questions that you think should not be asked, remember:

• Do not give your password to anyone at anytime – not even to the IT Department.
• Apply the Need to Know Principle.

If they sound genuine and you think they do belong to the corporate, all you need do is ask questions and ascertain their company contact number.

Verify the contact number by checking your internal staff directory, then ring back using the number listed in the directory.

If they get annoyed with the precautions you take, remember, a Social Engineer will use anger to make you do what they want. If the person does in fact work for the corporate, don’t worry! You are doing your job by protecting the corporate assets.

Don’t become a victim of a social engineer! Always apply the need to know principle.

Careless talk security guidelines and the previous article about instant messaging security guidelines are part of security guidelines for your organization as well as the next article about secure media handling. Media contains your organization’s information. Unauthorized people should not have access to your organizations information at any time. When you throw something in the rubbish or waste paper bin you do not know where it can end up when it leaves your office.