In the course of my engagement with several organizations
recently, I was amazed at low information security consciousness around work
area - desks and computers. With the acceptance of open offices in many
industries and the need to share computers at the workplace, inadequate
handling of sensitive information could expose both the employee and the
organization to the risks of unauthorized access, loss of and damage to
information during and outside normal working hours. The resultant effect is
adverse impact on reputation, finance, and health and safety.
Businesses handle sensitive information - employee and
customer personal information, intellectual property, business plans and
strategy, and financial – and they rely on employees to manage and protect such
an asset. However, many of the employee practice what I tag “conveniency” –
scribble passwords on sticky notes, document login information of critical
systems or services in notepads, keep files with sensitive customer information
on their desk or on the computer desktops or unlocked drawer, and the likes.
Many employees meet with colleagues and/or clients on their desks cluttered
with sensitive documents without considering possible prying eyes. Some do not
monitor the activities of computer support engineers at their desks to resolve
issues. The computer or the information on the computer could be compromised
within moments. Few pages could be stolen from a sensitive file kept in an
unlocked drawer or cabinet. Once a breach occurs, the impact could be
significant.
It is important for every employee to be aware of the
security implications of being careless with papers on or around the desk with
sensitive information and having unattended computers with critical information.
Inadequacy Implications
Here are some of the implications of practicing inconsistent
clear desk and clear screen at the work place:
1. Fraud and Impersonation
People do change; unless you are a mind reader, you cannot
tell who wants to sabotage you or the organization. Sometimes, it could be
curious eye that wants to see what it is not authorized to see. When you leave
unattended computer, you expose yourself and your organization to risk of
unauthorized access. If you also leave documents open in plain view while
absent from your work area, you stand to be taken advantage of. Incidents such
as fraud, theft, impersonation, and so on occurred in some organizations
implicating an employee who left his computer unattended. Be warned.
2. Unauthorized Access
When you keep both your desk and screen unattended, curious
passerby could observe information they should not have access to. Computers
left unattended provide the opportunity for malicious data input, modification,
or deletion, often to the employee’s blame.
3. Non-compliance
It is obvious that keeping a clean desk and clear screen at
work is vital in preventing against information theft and data breaches.
It also reduces the chance of sensitive information being viewed or
taken by someone who doesn’t have permission, whether it’s another employee or
visitor to the office. Anything inconsistent with a good practice is
unprofessional and non-compliant to global standard (ISO 27001 – Information
Security Management System).
Imbibing the Culture
A culture of clear desk and clear screen should be imbibed
to ensure that sensitive information, both in digital and physical format,
and critical information systems are not left unprotected at workspaces when
they are not in use, or when someone leaves his work area, either for a short
time or at the end of the day. These are some good practices worth adopting:
a. As an organization
i. Implement Clear Desk and Clear Screen Policy: ISO
27001 (A. 11.2.9) indicates that a policy around the subject is necessary
covering papers and removable storage media and information processing
facilities. The policy should mandate employees to practice protecting all
papers on or around their desks; logging off and/or shutting down their
computers when leaving for the day or lock them at the time of moving away from
desks momentarily. The policy should be documented and communicated to existing
employees and for new intakes during on-boarding.
ii. Run an Effective Awareness program: Create
further awareness that will ensure that all employees use keyboard shortcuts -
Press CTRL+ALT+DEL and clicking Lock this computer or Press Windows Key + L and
your computer will lock automatically – to regularly lock unattended computers.
iii. Assign Accountability for Information Security: Most
importantly, establish structures and processes to enforce this policy and
other information security policies.
iv. Use Technology to Enforce Control: Deploy
company-wide time-activated screen savers, screen lock and password protection
to minimize chances that someone takes advantage of unattended equipment.
v. Regulate Printing and Copying: The use
of printers, photocopiers, scanners and cameras should be controlled, by reducing
their quantity and use or using code functions that allow only authorized
persons to have access to material sent to them. And any information sent to
printers should be retrieved as soon as possible.
vi. Establish Good Document Management System: Go
paperless as an organization; in that way, documents will not be printed
unnecessarily, and sticky notes will disappear.
b. As an Employee, consciously
i. Use of Physically Secure Storage for
Papers: Paper documents, USB flash drives, memory cards, mobile
devices and other sensitive information containers should be protected in
lockable drawers, cabinets, safes, and file rooms when not required, or when
there is no one to take care of them.
ii. Take Seating position to Protect Your Work
Screen: Computers or devices should be positioned in such a way to
avoid people passing by to have a chance to look at the screens.
iii. Clear Boards at the End of Meetings: Ensure
that all information on white boards are erased or those on flip-charts put
away after a meeting. Shred all undesired pieces of papers used.
In conclusion
A lack of security consciousness around the work-space leads
to compromise on sensitive personal or organizational information. When
proprietary data, passwords, confidential documents, financial data, trade
secrets, and sensitive emails are not deliberately protected from those who are
not authorized to access them, they could be disclosed thereby impacting
privacy or a competitive edge. If you do not protect documents containing critical
information about your company's new product formula, disclosure can cause
competitors to beat your go to market thereby adversely impacting expected
revenue. Whether it is by accidents, human errors or malicious actions, these
negative results can be avoided by the adoption of a disciplined culture of
clear desk and clear screen when going away from your work area. Act now.
Exhibit duty of care toward sensitive information in your custody for your sake
and that of your employer.