More than one-third of Internal Revenue Service employees and managers who were contacted by Treasury Department inspectors posing as computer technicians [trying to remedy a “network problem”] provided their computer login and changed their password [to the one suggested by the inspector].
Believe it or not, this was a fifty percent improvement from the results of a similar audit performed in 2001 when seventy-one percent of IRS employees gave up their login names and passwords.
It is safe to assume that none of these employees intended to do anything wrong, and, more to the point, they had no idea that they had done anything wrong. After all, in a large organization, where employees don’t normally have interactions with the organization’s network personnel, an employee receiving such a call could be caught off guard and, in an effort to be cooperative, provide the requested information.
What is needed is: (a) a better understanding on the part of managers and employees of the reality that there are people (indeed, some very bad people) who can and will use the same techniques to hack into critical information systems, and (b) the training of managers and employees to automatically respond properly to such inquiries. The rule should be simple to state, and there should be no exceptions.
Anyone who asks for any password is up to no good. Anyone who asks for your password over the phone is a liar. Anyone who needs to know your password already knows it, can reset it, or can bypass it entirely.
The simple rule is, “Just say no.”