Simon Says...

In one of the chapters assigned for this week’s reading assignment, our book talks about social engineering.  I find this aspect of cyber security especially interesting -probably not surprising given the fact that I have a bachelor's in psychology.  Naturally, this is a topic towards which I would gravitate.  It’s also something I deal with every day at work.  My company has very strict privacy rules regarding client information where we have to verify very specific pieces of information before we can provide any client account data.   Sometimes just the fact that we ask the information upsets people, even after we point out that this is to protect their information. They just like to complain that this is their account they should be able to have their account information.

But what really surprises me is when other companies call for client account information, and argue with me that I should be able to talk to them about the account.  For example, a client’s  account is transferring to another company, and they call us to check the status of the transfer. We can provide limited information about the transfer: if it’s been received, if it’s in process it’s been completed etc. If there is something wrong with the request that we can’t process it, we ask the receiving company to instruct the client to call us.  At least once a day one of these companies will start yelling that I should be able to provide this information to them. When this happens, I usually ask them if their company has rules regarding client privacy, and they always reply yes but in this situation I should be able to give them what they’re asking for. They try various social engineering techniques, such as creating a sense of urgency, attempting to put themselves in a position of authority,  anything to make me feel like I should give them this information.   It’s frustrating, but it’s a factor in protecting client information.