Lessons from HP

When it was learned that Hewlett-Packard chairwoman Patricia Dunn hired
third-party investigators to gain access to the telephone records of
board members and reporters, those unfamiliar with the practice of
pretexting gasped. Many in the security industry smiled knowingly.

Pretexting, a form of social engineering, is an investigative technique
widely used to obtain personal information under false pretenses, and
according to people in the industry I spoke with, can be “very
effective.”
“Does it happen? Absolutely,” one seasoned security professional told me.  

Practically speaking, if a pretext call leads to disclosure of
information, then that should be fraud, as defined in the Criminal
Code. But the reality is, the technique is used in investigations often
to verify people are who they say they are and for more innocuous
reasons than HP was interested in.

It’s probably not the avenue corporate Canada wants to pursue on its
own however, without some advice from those with in-house expertise. In
fact, one security official I spoke with suggested the HP example is
best described as, “What not to do.”

There are other means to discover the information Dunn was trying to
nail down. By not using those options she recklessly put her
shareholders and ultimately her position at risk. Tried and true
interview techniques could have been used to determine if someone on
the board was speaking out of school.

Dunn paid the price for her actions, and the takeaways from the HP
experience should be numerous for corporate Canada. The first one is
obvious: If you’re going to use pretexting, be prepared to handle the
exposure if it does hit the media, as it did with HP.

“Think of the damage to your company if it hit the front page,” one expert suggested to me.

Most non-security executives don’t understand the ramifications of
using pretexting. One seasoned investigator said he advises all large
corporations he works with to make a plan to manage the message if the
investigation gets public attention. If possible, keep human resources
and the public relations team in the loop when any internal
investigation is taking place to help mitigate any damage that could be
done if the news hits the street.

Perhaps the most important lesson the HP case raises is that all
organizations are vulnerable to pretexting, therefore those who work in
risk management roles need to educate employees about it. Make sure
people are trained to validate the identity of the person they are
speaking with on the phone prior to disclosing information about
themselves or a client, as well as ensuring they can in fact,  disclose
such information.

An information classification system within an information security
policy is a good start. If that is something you haven’t explored with
your executive team, it might be a good time to raise the issue. Most
in the security and risk management profession know the time to get the
attention of the C-suite is when the iron is hot, or in this case, when
the headlines are still burning in the mind’s eye.