Websites and the Need to Know
Why do some companies and organizations, especially non-profits, feel the need to post the names of their entire staffs on their websites? The question came up in a recent conversation with an IT colleague.
Smaller companies and non-profits seem to get hack-attacked more often, and they tend to list everyone in the company or organization on their websites – along with their contact information. If that organization is running “lean and mean,” it could have a lot of people wearing many hats and juggling unrelated tasks. That can create a vulnerability when an outsider can distract a busy worker who has access to sensitive information.
Here’s a possible scenario that illustrates the problem.
When you list the contact info for the bookkeeper, you may be listing it for an employee who has access to all the organization’s financial data but has no need for public contact. A hacker doesn’t need to be especially skillful to use the bookkeeper’s email address to launch a phishing attack in a variety of ways. The most obvious, of course, would be to spoof a bank. But it could also be a spoof email from someone connected with the organization who is looking for something, such as wanting to know if a check was deposited.
If the bookkeeper responds to the bogus bank link or the spoofed email, it could open the door to getting more financial information or sensitive data – not only from your organization but from every person or organization you deal with.
Why take the risk? If you limit names and contact information to those whose duties involve some aspect of public contact, you can limit your exposure. If someone really needs to contact your bookkeeper, for example, they can call a general phone number for the organization where a gatekeeper can determine if it’s a legitimate call or can “take a message” so the bookkeeper or another employee can return the call. If the contact is made by email, it can go to a general mailbox, where a gatekeeper can read it and distribute it appropriately.
If you limit contact info in a small company or non-profit to the C-Suite, you can limit your exposure to hacking, ransomware and other vulnerabilities. If people outside your organization need to contact specific individuals, that information can be provided privately.
We can help. Call us – 973-433-6676 – or email us to help you set up appropriate email addresses and work with your web designer to make your website more secure.