Is it a good security practice to force employees hide their employer to avoid being targeted?Basic things that need to be explained to employees about a security policy and at what point in their employment
Is plausible to have subspecies with & without separate sexes?
What class is best to play when a level behind the rest of the party?
Why do (or did, until very recently) aircraft transponders wait to be interrogated before broadcasting beacon signals?
Can an open source licence be revoked if it violates employer's IP?
Approach sick days in feedback meeting
A team managed by my peer is close to melting down
Why did the Death Eaters wait to reopen the Chamber of Secrets?
Do they make "karaoke" versions of concertos for solo practice?
When to use the uncountable form of a noun?
Why are ambiguous grammars bad?
Course development: can I pay someone to make slides for the course?
Does WiFi affect the quality of images downloaded from the internet?
Parsing text written the millitext font
Is fission/fusion to iron the most efficient way to convert mass to energy?
Make Gimbap cutter
Which are the methodologies for interpreting Vedas?
How to soundproof the Wood Shop?
About the paper by Buekenhout, Delandtsheer, Doyen, Kleidman, Liebeck and Saxl
Why is my Taiyaki (Cake that looks like a fish) too hard and dry?
Nth term of Van Eck Sequence
Changing the PK column of a data extension without completely recreating it
Why would a car salesman tell me not to get my credit pulled again?
Is this Homebrew Eldritch Invocation, Accursed Memory, balanced?
Am I allowed to determine tenets of my contract as a warlock?
Is it a good security practice to force employees hide their employer to avoid being targeted?
Basic things that need to be explained to employees about a security policy and at what point in their employment
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
A young tech company which operates on sensitive data has employees that fall victim to phishing/porting scams despite its best efforts to instill security fobs, vpn, password managers, non-sms 2FA, limited email access and so on.
Is it a good practice to force employees to hide their employment status from the public to avoid being targeted for hacking (e.g. remove the employer from LinkedIn)?
phishing corporate-policy
asked 10 hours ago
y3shy3sh
1112
New contributor
y3sh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
A young tech company which operates on sensitive data has employees that fall victim to phishing/porting scams despite its best efforts to instill security fobs, vpn, password managers, non-sms 2FA, limited email access and so on.
Is it a good practice to force employees to hide their employment status from the public to avoid being targeted for hacking (e.g. remove the employer from LinkedIn)?
phishing corporate-policy
asked 10 hours ago
y3shy3sh
1112
New contributor
y3sh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
"Is it good practice?" or "Is it effective?" Who are the threat actors?
– schroeder♦
10 hours ago
Is it effective is probably the better question. Unsure who the threat actors are other than those wishing to gain access to sensitive data through employee vulnerabilities.
– y3sh
9 hours ago
1
You might want to check with local laws first. Forcing employees to not reveal who they work for on linked in may be seen as an anti-competitive, and anti-labor and may not even be legal. I'd tell the company to stuff it if they said I can't post who I work for on a website.
– Steve Sether
6 hours ago
"security fobs, vpn, password managers, non-sms 2FA, limited email access and so on." The problem seems obvious to me: you're describing technical solutions but you're worried about a human vulnerability. Are you doing anything to train the staff on how to respond to social engineering or phishing? All the password managers and policies in the world will fail to help if you're not also emphasizing the behavioral element. The tech- and policy-heavy approach can lull people into a false sense of security, if anything.
– dwizum
1 hour ago
It really depends on the company's threat model, where did you say you worked again?
– David Houde
39 mins ago
add a comment |
A young tech company which operates on sensitive data has employees that fall victim to phishing/porting scams despite its best efforts to instill security fobs, vpn, password managers, non-sms 2FA, limited email access and so on.
Is it a good practice to force employees to hide their employment status from the public to avoid being targeted for hacking (e.g. remove the employer from LinkedIn)?
phishing corporate-policy
asked 10 hours ago
y3shy3sh
1112
New contributor
y3sh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
A young tech company which operates on sensitive data has employees that fall victim to phishing/porting scams despite its best efforts to instill security fobs, vpn, password managers, non-sms 2FA, limited email access and so on.
Is it a good practice to force employees to hide their employment status from the public to avoid being targeted for hacking (e.g. remove the employer from LinkedIn)?
phishing corporate-policy
phishing corporate-policy
asked 10 hours ago
y3shy3sh
1112
New contributor
y3sh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 10 hours ago
y3shy3sh
1112
New contributor
y3sh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 10 hours ago
y3shy3sh
1112
New contributor
y3sh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 10 hours ago
y3shy3sh
1112
asked 10 hours ago
y3shy3sh
1112
1112
New contributor
y3sh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
y3sh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
"Is it good practice?" or "Is it effective?" Who are the threat actors?
– schroeder♦
10 hours ago
Is it effective is probably the better question. Unsure who the threat actors are other than those wishing to gain access to sensitive data through employee vulnerabilities.
– y3sh
9 hours ago
1
You might want to check with local laws first. Forcing employees to not reveal who they work for on linked in may be seen as an anti-competitive, and anti-labor and may not even be legal. I'd tell the company to stuff it if they said I can't post who I work for on a website.
– Steve Sether
6 hours ago
"security fobs, vpn, password managers, non-sms 2FA, limited email access and so on." The problem seems obvious to me: you're describing technical solutions but you're worried about a human vulnerability. Are you doing anything to train the staff on how to respond to social engineering or phishing? All the password managers and policies in the world will fail to help if you're not also emphasizing the behavioral element. The tech- and policy-heavy approach can lull people into a false sense of security, if anything.
– dwizum
1 hour ago
It really depends on the company's threat model, where did you say you worked again?
– David Houde
39 mins ago
add a comment |
2
"Is it good practice?" or "Is it effective?" Who are the threat actors?
– schroeder♦
10 hours ago
Is it effective is probably the better question. Unsure who the threat actors are other than those wishing to gain access to sensitive data through employee vulnerabilities.
– y3sh
9 hours ago
1
You might want to check with local laws first. Forcing employees to not reveal who they work for on linked in may be seen as an anti-competitive, and anti-labor and may not even be legal. I'd tell the company to stuff it if they said I can't post who I work for on a website.
– Steve Sether
6 hours ago
"security fobs, vpn, password managers, non-sms 2FA, limited email access and so on." The problem seems obvious to me: you're describing technical solutions but you're worried about a human vulnerability. Are you doing anything to train the staff on how to respond to social engineering or phishing? All the password managers and policies in the world will fail to help if you're not also emphasizing the behavioral element. The tech- and policy-heavy approach can lull people into a false sense of security, if anything.
– dwizum
1 hour ago
It really depends on the company's threat model, where did you say you worked again?
– David Houde
39 mins ago
2
2
"Is it good practice?" or "Is it effective?" Who are the threat actors?
– schroeder♦
10 hours ago
"Is it good practice?" or "Is it effective?" Who are the threat actors?
– schroeder♦
10 hours ago
Is it effective is probably the better question. Unsure who the threat actors are other than those wishing to gain access to sensitive data through employee vulnerabilities.
– y3sh
9 hours ago
Is it effective is probably the better question. Unsure who the threat actors are other than those wishing to gain access to sensitive data through employee vulnerabilities.
– y3sh
9 hours ago
1
1
You might want to check with local laws first. Forcing employees to not reveal who they work for on linked in may be seen as an anti-competitive, and anti-labor and may not even be legal. I'd tell the company to stuff it if they said I can't post who I work for on a website.
– Steve Sether
6 hours ago
You might want to check with local laws first. Forcing employees to not reveal who they work for on linked in may be seen as an anti-competitive, and anti-labor and may not even be legal. I'd tell the company to stuff it if they said I can't post who I work for on a website.
– Steve Sether
6 hours ago
"security fobs, vpn, password managers, non-sms 2FA, limited email access and so on." The problem seems obvious to me: you're describing technical solutions but you're worried about a human vulnerability. Are you doing anything to train the staff on how to respond to social engineering or phishing? All the password managers and policies in the world will fail to help if you're not also emphasizing the behavioral element. The tech- and policy-heavy approach can lull people into a false sense of security, if anything.
– dwizum
1 hour ago
"security fobs, vpn, password managers, non-sms 2FA, limited email access and so on." The problem seems obvious to me: you're describing technical solutions but you're worried about a human vulnerability. Are you doing anything to train the staff on how to respond to social engineering or phishing? All the password managers and policies in the world will fail to help if you're not also emphasizing the behavioral element. The tech- and policy-heavy approach can lull people into a false sense of security, if anything.
– dwizum
1 hour ago
It really depends on the company's threat model, where did you say you worked again?
– David Houde
39 mins ago
It really depends on the company's threat model, where did you say you worked again?
– David Houde
39 mins ago
add a comment |
3 Answers
3
active
oldest
votes
Hiding your employer would not appear to be of any use at all when you want to hide the employee's email address from the public. If you hide your employer info but spread your contact details far and wide, the employer info is not interesting.
Managing digital footprint is always a good consideration but you have an awareness problem and a trust problem with your employees that such a policy is not going to address.
answered 9 hours ago
schroeder♦schroeder
83k34185222
add a comment |
Schroeder's answer explains things very well, but I would like to offer a different view.
Employees will likely act online. They will ask questions on Stack Exchange, in support forums of vendors, etc.
If it's apparent whom they work for (e.g. by using the email address j.doe@awesomecorp.com), then an attacker looking to gain information about Awesome Corp will be able to gather information about systems being used by the company. Depending on how much information they (knowingly or unknowingly) expose, this may include:
- Configuration data
- Products and versions thereof used by the company
- Credentials
- Internal addresses
- Etc.
While this in itself may not directly constitute a vulnerability, it can show an attacker potential entry points and allows them to more efficiently understand the architecture of Awesome Corp.
The idea that J. Doe should hide that he is working for Awesome Corp is not necessarily useful. The problem arises when J. Doe discloses internal information.
As such, employing an information disclosure policy is very useful for the company. It should contain which information can be shared with vendors, the public, etc. In addition, employees should have someone to talk to if they are uncertain whether or not something is considered internal information.
answered 9 hours ago
MechMK1MechMK1
3,32711236
That's all good too, but not about phishing or social engineering, as the OP is focused.
– schroeder♦
9 hours ago
2
@schroeder And it's mentioned that it shouldn't be a concern, in general. You can observe this on every conference, when people start with "Hi, my name is ... and I work for ...".
– MechMK1
9 hours ago
2
I disagree, in the sense that these two are closely related. "Hiding your employer for the sake of not being targeted for phishing" and "Hiding your employer for the sake of preventing information gathering" are, in my opinion, related enough and provide value to the question. Feel free to disagree though.
– MechMK1
9 hours ago
2
I don't understand the point you make. I pointed out related things one needs to be aware of. I never claimed that my answer was "complete" (whatever this may mean in this context), only that it was another thing to be aware of. What exactly are you getting at? That the answer is "not an answer" (and should therefore be deleted) or that the answer is incomplete?
– MechMK1
9 hours ago
2
And I told you in my previous comment that I don't believe it's unrelated, giving you a reason why I feel that way.
– MechMK1
8 hours ago
|
show 3 more comments
The best security practice is to train the employees specifically to avoid phishing and scams in general. Also, you need to test them periodically, to check if they are actually reacting to scams as they were trained to do. Password managers with auto-complete functionality might also help because they can be used to detect wrong URLs before entering sensitive data on the internet. Hiding employment status seems useless to me, because its usefulness is going to be negligible compared to the best practice I mentioned above (training and testing).
answered 9 hours ago
reedreed
3,96731229
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
y3sh is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f211693%2fis-it-a-good-security-practice-to-force-employees-hide-their-employer-to-avoid-b%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Hiding your employer would not appear to be of any use at all when you want to hide the employee's email address from the public. If you hide your employer info but spread your contact details far and wide, the employer info is not interesting.
Managing digital footprint is always a good consideration but you have an awareness problem and a trust problem with your employees that such a policy is not going to address.
answered 9 hours ago
schroeder♦schroeder
83k34185222
add a comment |
Hiding your employer would not appear to be of any use at all when you want to hide the employee's email address from the public. If you hide your employer info but spread your contact details far and wide, the employer info is not interesting.
Managing digital footprint is always a good consideration but you have an awareness problem and a trust problem with your employees that such a policy is not going to address.
answered 9 hours ago
schroeder♦schroeder
83k34185222
add a comment |
Hiding your employer would not appear to be of any use at all when you want to hide the employee's email address from the public. If you hide your employer info but spread your contact details far and wide, the employer info is not interesting.
Managing digital footprint is always a good consideration but you have an awareness problem and a trust problem with your employees that such a policy is not going to address.
answered 9 hours ago
schroeder♦schroeder
83k34185222
Hiding your employer would not appear to be of any use at all when you want to hide the employee's email address from the public. If you hide your employer info but spread your contact details far and wide, the employer info is not interesting.
Managing digital footprint is always a good consideration but you have an awareness problem and a trust problem with your employees that such a policy is not going to address.
answered 9 hours ago
schroeder♦schroeder
83k34185222
answered 9 hours ago
schroeder♦schroeder
83k34185222
answered 9 hours ago
schroeder♦schroeder
83k34185222
answered 9 hours ago
schroeder♦schroeder
83k34185222
83k34185222
add a comment |
add a comment |
Schroeder's answer explains things very well, but I would like to offer a different view.
Employees will likely act online. They will ask questions on Stack Exchange, in support forums of vendors, etc.
If it's apparent whom they work for (e.g. by using the email address j.doe@awesomecorp.com), then an attacker looking to gain information about Awesome Corp will be able to gather information about systems being used by the company. Depending on how much information they (knowingly or unknowingly) expose, this may include:
- Configuration data
- Products and versions thereof used by the company
- Credentials
- Internal addresses
- Etc.
While this in itself may not directly constitute a vulnerability, it can show an attacker potential entry points and allows them to more efficiently understand the architecture of Awesome Corp.
The idea that J. Doe should hide that he is working for Awesome Corp is not necessarily useful. The problem arises when J. Doe discloses internal information.
As such, employing an information disclosure policy is very useful for the company. It should contain which information can be shared with vendors, the public, etc. In addition, employees should have someone to talk to if they are uncertain whether or not something is considered internal information.
answered 9 hours ago
MechMK1MechMK1
3,32711236
That's all good too, but not about phishing or social engineering, as the OP is focused.
– schroeder♦
9 hours ago
2
@schroeder And it's mentioned that it shouldn't be a concern, in general. You can observe this on every conference, when people start with "Hi, my name is ... and I work for ...".
– MechMK1
9 hours ago
2
I disagree, in the sense that these two are closely related. "Hiding your employer for the sake of not being targeted for phishing" and "Hiding your employer for the sake of preventing information gathering" are, in my opinion, related enough and provide value to the question. Feel free to disagree though.
– MechMK1
9 hours ago
2
I don't understand the point you make. I pointed out related things one needs to be aware of. I never claimed that my answer was "complete" (whatever this may mean in this context), only that it was another thing to be aware of. What exactly are you getting at? That the answer is "not an answer" (and should therefore be deleted) or that the answer is incomplete?
– MechMK1
9 hours ago
2
And I told you in my previous comment that I don't believe it's unrelated, giving you a reason why I feel that way.
– MechMK1
8 hours ago
|
show 3 more comments
Schroeder's answer explains things very well, but I would like to offer a different view.
Employees will likely act online. They will ask questions on Stack Exchange, in support forums of vendors, etc.
If it's apparent whom they work for (e.g. by using the email address j.doe@awesomecorp.com), then an attacker looking to gain information about Awesome Corp will be able to gather information about systems being used by the company. Depending on how much information they (knowingly or unknowingly) expose, this may include:
- Configuration data
- Products and versions thereof used by the company
- Credentials
- Internal addresses
- Etc.
While this in itself may not directly constitute a vulnerability, it can show an attacker potential entry points and allows them to more efficiently understand the architecture of Awesome Corp.
The idea that J. Doe should hide that he is working for Awesome Corp is not necessarily useful. The problem arises when J. Doe discloses internal information.
As such, employing an information disclosure policy is very useful for the company. It should contain which information can be shared with vendors, the public, etc. In addition, employees should have someone to talk to if they are uncertain whether or not something is considered internal information.
answered 9 hours ago
MechMK1MechMK1
3,32711236
That's all good too, but not about phishing or social engineering, as the OP is focused.
– schroeder♦
9 hours ago
2
@schroeder And it's mentioned that it shouldn't be a concern, in general. You can observe this on every conference, when people start with "Hi, my name is ... and I work for ...".
– MechMK1
9 hours ago
2
I disagree, in the sense that these two are closely related. "Hiding your employer for the sake of not being targeted for phishing" and "Hiding your employer for the sake of preventing information gathering" are, in my opinion, related enough and provide value to the question. Feel free to disagree though.
– MechMK1
9 hours ago
2
I don't understand the point you make. I pointed out related things one needs to be aware of. I never claimed that my answer was "complete" (whatever this may mean in this context), only that it was another thing to be aware of. What exactly are you getting at? That the answer is "not an answer" (and should therefore be deleted) or that the answer is incomplete?
– MechMK1
9 hours ago
2
And I told you in my previous comment that I don't believe it's unrelated, giving you a reason why I feel that way.
– MechMK1
8 hours ago
|
show 3 more comments
Schroeder's answer explains things very well, but I would like to offer a different view.
Employees will likely act online. They will ask questions on Stack Exchange, in support forums of vendors, etc.
If it's apparent whom they work for (e.g. by using the email address j.doe@awesomecorp.com), then an attacker looking to gain information about Awesome Corp will be able to gather information about systems being used by the company. Depending on how much information they (knowingly or unknowingly) expose, this may include:
- Configuration data
- Products and versions thereof used by the company
- Credentials
- Internal addresses
- Etc.
While this in itself may not directly constitute a vulnerability, it can show an attacker potential entry points and allows them to more efficiently understand the architecture of Awesome Corp.
The idea that J. Doe should hide that he is working for Awesome Corp is not necessarily useful. The problem arises when J. Doe discloses internal information.
As such, employing an information disclosure policy is very useful for the company. It should contain which information can be shared with vendors, the public, etc. In addition, employees should have someone to talk to if they are uncertain whether or not something is considered internal information.
answered 9 hours ago
MechMK1MechMK1
3,32711236
Schroeder's answer explains things very well, but I would like to offer a different view.
Employees will likely act online. They will ask questions on Stack Exchange, in support forums of vendors, etc.
If it's apparent whom they work for (e.g. by using the email address j.doe@awesomecorp.com), then an attacker looking to gain information about Awesome Corp will be able to gather information about systems being used by the company. Depending on how much information they (knowingly or unknowingly) expose, this may include:
- Configuration data
- Products and versions thereof used by the company
- Credentials
- Internal addresses
- Etc.
While this in itself may not directly constitute a vulnerability, it can show an attacker potential entry points and allows them to more efficiently understand the architecture of Awesome Corp.
The idea that J. Doe should hide that he is working for Awesome Corp is not necessarily useful. The problem arises when J. Doe discloses internal information.
As such, employing an information disclosure policy is very useful for the company. It should contain which information can be shared with vendors, the public, etc. In addition, employees should have someone to talk to if they are uncertain whether or not something is considered internal information.
answered 9 hours ago
MechMK1MechMK1
3,32711236
answered 9 hours ago
MechMK1MechMK1
3,32711236
answered 9 hours ago
MechMK1MechMK1
3,32711236
answered 9 hours ago
MechMK1MechMK1
3,32711236
3,32711236
That's all good too, but not about phishing or social engineering, as the OP is focused.
– schroeder♦
9 hours ago
2
@schroeder And it's mentioned that it shouldn't be a concern, in general. You can observe this on every conference, when people start with "Hi, my name is ... and I work for ...".
– MechMK1
9 hours ago
2
I disagree, in the sense that these two are closely related. "Hiding your employer for the sake of not being targeted for phishing" and "Hiding your employer for the sake of preventing information gathering" are, in my opinion, related enough and provide value to the question. Feel free to disagree though.
– MechMK1
9 hours ago
2
I don't understand the point you make. I pointed out related things one needs to be aware of. I never claimed that my answer was "complete" (whatever this may mean in this context), only that it was another thing to be aware of. What exactly are you getting at? That the answer is "not an answer" (and should therefore be deleted) or that the answer is incomplete?
– MechMK1
9 hours ago
2
And I told you in my previous comment that I don't believe it's unrelated, giving you a reason why I feel that way.
– MechMK1
8 hours ago
|
show 3 more comments
That's all good too, but not about phishing or social engineering, as the OP is focused.
– schroeder♦
9 hours ago
2
@schroeder And it's mentioned that it shouldn't be a concern, in general. You can observe this on every conference, when people start with "Hi, my name is ... and I work for ...".
– MechMK1
9 hours ago
2
I disagree, in the sense that these two are closely related. "Hiding your employer for the sake of not being targeted for phishing" and "Hiding your employer for the sake of preventing information gathering" are, in my opinion, related enough and provide value to the question. Feel free to disagree though.
– MechMK1
9 hours ago
2
I don't understand the point you make. I pointed out related things one needs to be aware of. I never claimed that my answer was "complete" (whatever this may mean in this context), only that it was another thing to be aware of. What exactly are you getting at? That the answer is "not an answer" (and should therefore be deleted) or that the answer is incomplete?
– MechMK1
9 hours ago
2
And I told you in my previous comment that I don't believe it's unrelated, giving you a reason why I feel that way.
– MechMK1
8 hours ago
That's all good too, but not about phishing or social engineering, as the OP is focused.
– schroeder♦
9 hours ago
That's all good too, but not about phishing or social engineering, as the OP is focused.
– schroeder♦
9 hours ago
2
2
@schroeder And it's mentioned that it shouldn't be a concern, in general. You can observe this on every conference, when people start with "Hi, my name is ... and I work for ...".
– MechMK1
9 hours ago
@schroeder And it's mentioned that it shouldn't be a concern, in general. You can observe this on every conference, when people start with "Hi, my name is ... and I work for ...".
– MechMK1
9 hours ago
2
2
I disagree, in the sense that these two are closely related. "Hiding your employer for the sake of not being targeted for phishing" and "Hiding your employer for the sake of preventing information gathering" are, in my opinion, related enough and provide value to the question. Feel free to disagree though.
– MechMK1
9 hours ago
I disagree, in the sense that these two are closely related. "Hiding your employer for the sake of not being targeted for phishing" and "Hiding your employer for the sake of preventing information gathering" are, in my opinion, related enough and provide value to the question. Feel free to disagree though.
– MechMK1
9 hours ago
2
2
I don't understand the point you make. I pointed out related things one needs to be aware of. I never claimed that my answer was "complete" (whatever this may mean in this context), only that it was another thing to be aware of. What exactly are you getting at? That the answer is "not an answer" (and should therefore be deleted) or that the answer is incomplete?
– MechMK1
9 hours ago
I don't understand the point you make. I pointed out related things one needs to be aware of. I never claimed that my answer was "complete" (whatever this may mean in this context), only that it was another thing to be aware of. What exactly are you getting at? That the answer is "not an answer" (and should therefore be deleted) or that the answer is incomplete?
– MechMK1
9 hours ago
2
2
And I told you in my previous comment that I don't believe it's unrelated, giving you a reason why I feel that way.
– MechMK1
8 hours ago
And I told you in my previous comment that I don't believe it's unrelated, giving you a reason why I feel that way.
– MechMK1
8 hours ago
|
show 3 more comments
The best security practice is to train the employees specifically to avoid phishing and scams in general. Also, you need to test them periodically, to check if they are actually reacting to scams as they were trained to do. Password managers with auto-complete functionality might also help because they can be used to detect wrong URLs before entering sensitive data on the internet. Hiding employment status seems useless to me, because its usefulness is going to be negligible compared to the best practice I mentioned above (training and testing).
answered 9 hours ago
reedreed
3,96731229
add a comment |
The best security practice is to train the employees specifically to avoid phishing and scams in general. Also, you need to test them periodically, to check if they are actually reacting to scams as they were trained to do. Password managers with auto-complete functionality might also help because they can be used to detect wrong URLs before entering sensitive data on the internet. Hiding employment status seems useless to me, because its usefulness is going to be negligible compared to the best practice I mentioned above (training and testing).
answered 9 hours ago
reedreed
3,96731229
add a comment |
The best security practice is to train the employees specifically to avoid phishing and scams in general. Also, you need to test them periodically, to check if they are actually reacting to scams as they were trained to do. Password managers with auto-complete functionality might also help because they can be used to detect wrong URLs before entering sensitive data on the internet. Hiding employment status seems useless to me, because its usefulness is going to be negligible compared to the best practice I mentioned above (training and testing).
answered 9 hours ago
reedreed
3,96731229
The best security practice is to train the employees specifically to avoid phishing and scams in general. Also, you need to test them periodically, to check if they are actually reacting to scams as they were trained to do. Password managers with auto-complete functionality might also help because they can be used to detect wrong URLs before entering sensitive data on the internet. Hiding employment status seems useless to me, because its usefulness is going to be negligible compared to the best practice I mentioned above (training and testing).
answered 9 hours ago
reedreed
3,96731229
answered 9 hours ago
reedreed
3,96731229
answered 9 hours ago
reedreed
3,96731229
answered 9 hours ago
reedreed
3,96731229
3,96731229
add a comment |
add a comment |
y3sh is a new contributor. Be nice, and check out our Code of Conduct.
y3sh is a new contributor. Be nice, and check out our Code of Conduct.
y3sh is a new contributor. Be nice, and check out our Code of Conduct.
y3sh is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f211693%2fis-it-a-good-security-practice-to-force-employees-hide-their-employer-to-avoid-b%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
"Is it good practice?" or "Is it effective?" Who are the threat actors?
– schroeder♦
10 hours ago
Is it effective is probably the better question. Unsure who the threat actors are other than those wishing to gain access to sensitive data through employee vulnerabilities.
– y3sh
9 hours ago
1
You might want to check with local laws first. Forcing employees to not reveal who they work for on linked in may be seen as an anti-competitive, and anti-labor and may not even be legal. I'd tell the company to stuff it if they said I can't post who I work for on a website.
– Steve Sether
6 hours ago
"security fobs, vpn, password managers, non-sms 2FA, limited email access and so on." The problem seems obvious to me: you're describing technical solutions but you're worried about a human vulnerability. Are you doing anything to train the staff on how to respond to social engineering or phishing? All the password managers and policies in the world will fail to help if you're not also emphasizing the behavioral element. The tech- and policy-heavy approach can lull people into a false sense of security, if anything.
– dwizum
1 hour ago
It really depends on the company's threat model, where did you say you worked again?
– David Houde
39 mins ago