Let’s have a quick workplace information security pop quiz. The requests for information below all have enough truth to seem plausible. But in each case, trouble for the clearance holder lurks aplenty. (Hint: The response to all of them is, “Sorry. I’ll need to refer you to our public affairs office.”)
- The phone rings and a reasonably friendly voice asks to speak to the director of your classified program. They know who your director is and mentions having met him at a specific conference that you know he attended.
- You are asked by a foreign company representative to send along data which could help them learn about a possible investment in your company. Money speaks and you know this company has been looking for investment opportunities recently.
- A colleague from another company meets you by chance at lunch. “Hey,” he asks, “can I run a couple ideas by you?” Or maybe something as simple as a request for an email address is asked by someone you really don’t know, but who seems friendly enough.
Your Public Affairs Office: The Public Face of Secrecy
It’s for precisely these encounters that our companies have public affairs or public information officers; they are your public face. They are the people you turn to when you don’t know an appropriate response. “I need to refer you to our public affairs office” should be the mantra of all clearance holders.
The public affairs officer can be one of your best friends. With their experience, they can evaluate the legitimacy of each call or contact. For instance, an adversary would not hesitate at all to lie about his status at the other end of a phone to get access to some information you aren’t allowed to share. The same goes for a foreign inquirer. Could be legitimate – or not. Leave this up to the public affairs officer to decide if this is a real caller or someone just trying to elicit information from you.
Many have fallen into the trap of thinking they were talking to an “ally,” only to discover that it was a clever solicitor of information. And though the person did not discuss classified information, he gave away details which could be employed later in a more sophisticated attack. The lesson is clear: Let the public affairs officer know before you respond with information to someone you don’t know.
What’s the worst that can happen?
Consider what appears to be the simplest request above. A caller asks for an email address for someone you know. What could possibly go wrong? You give the email address. The caller, who is acting on behalf of a foreign government, or an adversary nation’s company, or even a domestic competitor, gets the information from you. The next trick he pulls is to send a realistic looking email to the person whose email you just gave. Only now, the “sender” is you. The subject line looks totally legitimate.
Then the preventable surprise hits. When the recipient opens the message from ‘you’, it seems like nothing happens. Oh, but something did happen: a whole Pandora’s box of malware is unleashed. This will cause at the least “denial of service” to your company as a flood of bogus mail bombards it, causing your system to crash. Your whole office is brought to a standstill by someone who wants to stop your progress. Or even worse, it could have unleashed a ransom-ware attack, which will cause your company to receive a demand from some blackmailer for money to return your computers to service. Refer all calls such calls for assistance you don’t know to the public information officer.
Steps You can take moving forward
So how can you make this a matter of practice? In every public announcement your company makes, every website your business manages, and every public appearance your company representatives participate in, make known the name and contact information of your public affairs representatives.
Though your public affairs officer may not have access to all the information and programs that you do, he’ll know who can authorize the release of various materials, who can authorize access to various programs, and will act appropriately. He won’t be responding in a vacuum, but rather by using an informed method to inquirers who come from “nowhere.” Because he is there, you can rest easy if you receive such calls or contacts. Just refer inquiring minds to your friendly neighborhood public affairs officer.
