There is no doubt that cyberattacks are the big risk to most organizations. Something as simple as an employee accidentally browsing to a malicious website can lead to the complete compromise of hundreds of thousands of records containing confidential information. So, it is no wonder that companies spend billions of dollars a year on cybersecurity. What may be a little more surprising is that in some cases, cyber-breaches are tied directly back to physical security failures. In fact, some of the biggest breaches of personal information have been tied directly back to a simple physical security mistake. For example, several hundred thousand personal records including social security numbers were lost when an employee of an organization left his laptop in his car while he stopped at a restaurant to get some food. Unfortunately for all affected, that laptop contained an unencrypted database full of confidential information.
It turns out that each employee has the potential to inadvertently leak confidential data numerous times throughout the day. And often it’s the smallest mistakes that lead to a complete corporate breach. To reduce that risk, this article will outline some of the more common areas where mistakes are made and outline what you can do to avoid them.
Securing Your Desk
Whether you are in a cubicle or an office, your desk is generally your main work area. One of the most common mistakes I come across, is when a person walks away from their desk and leaves their computer logged in. In most cases, this is because the employee intends to come back in the next minute or two. What is often forgotten is the fact that malware can be loaded on a computer in just seconds.
For example, when I am onsite, possibly pretending to be working for a pest control company, if I see a person walk away from his desk, I will immediately go to that desk. If the computer is logged in, I will open a web browser. Now I simply browse to a webpage that I had pre-setup where I can download malware to that desktop. The entire process takes between 15 and 30 seconds. As soon as the malware is installed, I close the web browser and walk away.
If on the off-chance the person returns while I am still at his desk, I have the webpage look like my pest control website and explain I was simply looking up something related to the job. Just like that the employee’s computer is compromised and whatever access they have, I now can access from anywhere in the world.
To resolve this threat, simply remember to always lock your computer when you are going to walk away. Even if you only plan to be gone a few seconds, hit the “Windows” key and the letter “L” at the same time and your Windows computer will be locked. On Mac, you can put your computer to sleep by pressing the Option-Command-Eject keys on your keyboard (note that you will need “Require password when awake from sleep” turned on). It’s simple and can greatly reduce your risk.
Another problem employees run into with their desk is the amount of papers that accumulate throughout the day. The problem with this is that many of these papers contain confidential information and with just one small mistake, they can end up in the wrong hands. None of us likes to think that someone snoops around our desks when we are away. However, when I have been hired to “rob” a facility for testing and am onsite, the minute I see a desk unattended I go to it and use my phone to take pictures of every document left lying out. It’s also simple and takes just a few seconds.
In the meantime, if the employee returns, I make an excuse for being around the desk and then walk away. No one has any idea that all the information left on the desk has just been compromised. The simple solution is to never leave your desk unattended with any documents containing confidential or PII laying out. Simply placing them in a drawer will be enough if you are just stepping away for a minute. Of course locking them up if you will be gone for a longer period is the right process.
Stop The Shoulder Surfers
Many larger organizations require keys or access cards to gain access to certain areas of the facility. The problem is that once the door is open, anyone can walk through. Criminals will often take advantage of the kindness of others to gain access to these secured areas. One common scam is for a criminal to wear a delivery uniform and load several large boxes in their arms. When an employee approaches a secured door, the criminal will time his pace to arrive at approximately the same time. The employee will no doubt feel bad for the delivery person with the full arms, so they hold the door open to help. Other scams include flower delivery or a person in a suit claiming to be new and lost. Whatever the angle, the simple solution is to never allow another person to enter a secured area with you. Yes, sometimes this might be a little awkward, because you literally need to close the door in another person’s face. But if everyone is following the same security protocol then everyone should understand that it is not personal, it is policy.
Beware of The Printer
In most organizations, printers are kept in common areas and shared by multiple employees. The problem occurs when documents are printed that contain confidential information. The most common mistake is when an employee prints the document, but does not immediately go to the printer to retrieve it. The longer it remains unattended at the printer, the more opportunity exists for that document to end up in the wrong hands.
There have been many cases where I have gained access to a facility under the pretense of performing a pest inspection, as an air conditioning repairman, or one of dozens of other disguises. While in the facility, I continually walk by the printers in hopes of finding any unattended documents. When I see them, I grab them and place them in my bag. As for the employee who printed the document, he or she generally assumes that if it’s not there, the printer had a problem and it is simply printed again.
The best way to protect against this type of breach is to be ready to collect your document as soon as you print it. When you click the “print” button, immediately get up and go to the printer. Don’t assume that it’s fine to check on it in a few minutes, because sometimes you will receive a call or encounter another distraction and that document may end up on the printer for hours; just waiting to be seen by not–so-friendly eyes.
Don’t Forget About The Paper
By now everyone knows that confidential information should be shredded and never thrown in the trash. Yet, most recycle bins and dumpsters at organizations throughout the United States end up with a handful of documents containing confidential information each week.
How is that possible? Once again it comes down to simple mistakes. The most common one; an organization has one or two shred bins located in the facility and employees are expected to place items into the bins that need to be shredded. Because employees get busy, they do not always have time to get up and immediately walk over to the shred bin each time they have a document to discard. Instead they set it on their desk with a plan to dispose of it later. Unfortunately those documents sometimes end up mixed in with others that do not require shredding and ultimately find their way to the recycle bin or trashcan.
It is important to note that recycle is not shred and should not be treated as such. In other cases, an employee may have a box located under his desk where he throws all items that need shredded and at the end of the day are expected to empty that box into the main shred bins. All it takes is to forget to empty the box and those documents are now accessible to the cleaning crew or other after hour’s visitors.
With disposing of documents, it comes down to two simple tips to eliminate any risk. First, plan to shred all documents that contain any confidential details or PII. Even documents with a person’s name, including used envelopes should be shredded. Your goal is to ensure that there is nothing in the trash or recycle bin that in any way could tie an individual back to your organization.
The second step is to shred the document the minute you are finished with it. Yes, that means you may be taking numerous trips to the shred bin, but ultimately the extra amount of time will be far less than the time required to deal with a situation in which confidential information ends up in the wrong persons hands.
Private data in any form can be a risk to you and your organization. It’s important to remember that while physical security may not seem as cutting edge as network based security, all it takes is one document with confidential information ending up in the wrong hands to lead to a corporate breach.