If you manage IT and have a phone you probably get dozens of calls a day from sales people and researchers. Most of them are very good at keeping you on the phone.
It is in our nature to want to help people
The calls always start with a very chipper person introducing themselves and their company. Researchers often add that they are not trying to sell anything. This is followed up by a question like “What are you using for storage?” It is difficult not to answer. We want to be helpful. Why shouldn’t I answer?
Giving out information about your network is a security risk
I suspect I could call 10 IT people and get critical configuration information from five of them by pretending to be a salesperson, researcher, or peer.
- What firewall are you using?
- What VPN solution do you have?
- Do you have any issues with it you would like to see fixed?
- Do you struggle with patch management?
- What log management system are you using?
All of this information can be used to design an attack against your company.
Ask yourself who needs to know this information?
Nobody outside your organization needs to know how your network is configured.
What happens if the vendor or researcher gets hacked?
If I were a hacker, I would want to get hold of any vendor’s CRM database. That could contain a significant amount of information about a potential target’s networks. How secure is the data you provide to vendors? Why take the risk?
What to say when someone calls and asks “What product do you use for xyz?”
I am not allowed to provide that information over the phone. Repeat that as often as needed. You can add that you are constrained by policy and cannot provide them any information about the network, software, or anything else.
Bonus tip: How to get a vendor off the phone
Unless this is a vendor you want to talk to, simply tell them you are not soliciting new vendors at this time. Don’t tell them you do or do not have a solution, that is a security risk. Just tell them you are not looking for new vendors, thank them, and hang up.
I even added a short blurb at the end of my voice mail message that says “If you are a vendor, we are not soliciting new vendors at this time. Messages will not be returned.” I am polite but it is a way of letting them know I don’t want to keep getting calls. If I am looking for new vendors I might say “If you are a vendor for XYZ products, please leave a message. We are not soliciting other vendors at this time.”
Some people think that is rude. I find the decrease in SPAM voice-mail a relief.
Bonus bonus tip: Decrease unsolicited email messages
I must g
et 20 email messages a day from vendors asking me to meet with them to discuss how they can save me money, time, etc. I save more time by not reading their email. (Yes, I am a little bitter at the massive amount of junk mail I have to wade through.)
Outlook has a feature which many people overlook. Simply click on the Junk button and select, “Block Sender.” You will never get an email from that person again.
If you want a more extreme way of blocking junk, you can try something I have been experimenting with.
Updated 09/23/2014 for grammatical errors.
Decomplexification 