Every organisation does, or it should have, a security policy detailing how the workforce handles the organisation’s lifeblood – its sensitive data. However, while it will cover a myriad of processes that need to be adhered to, often it doesn’t take into account basic stupidity on behalf of the workforce. The politicians leaving number ten with strictly confidential dossiers under their arm, for the waiting photographers to capture with their telephoto lenses, is exactly what I’m talking about.
So, here’s our ‘security policy for dummies’ guide for you to share with your workforce:
1. Be aware of your surroundings
Go on, admit it – how many of you have looked at the screen of someone dutifully typing away on their laptops or flicking through their emails on a smartphone? The problem for these hard workers is they’re concentrating so hard on what they’re doing, that they fail to take in their surroundings or the people in close proximity. In the majority of cases it will just be a nosey parker that’s shoulder surfing, but it just has to be one occasion when it’s not.
Although it might sound like something out of a spy novel, it has been known for people to be targeted for the information that they’re carrying and the mobile device doesn’t have to be stolen to give up the corporate goods
2. Think about what you’re doing
While we’re on the point of your surroundings it’s also worth advising employees to think about what it is that they’re looking at. Do they really need to be accessing sensitive information when in a public place? If so, what are they doing with it? How are they getting it? For example, if the connection they’re using isn’t secure, i.e. free wi-fi and not via a VPN connection, then they’re no different to the ridiculed politicians in Downing Street.
3. Think before you print
One of the things that hardly ever gets a mention in security policies is printing, reading and disposing of sensitive information. The points already made are equally relevant to reading sensitive documents on paper in a public place.
Also, disposing of it properly needs to be covered. It’s not rocket science and still organisations are publicly humiliated because sensitive documents have been left out with the bins! Of course, the environmentally friendly amongst you will be saying that it should be recycled anyway, which I whole heartedly agree with, and the best way is to use one of the many reputable companies that shred your sensitive information on site before taking it away for recycling.
4. Don’t leave devices unattended
This one might seem like common sense but, believe me, I’ve been on a train or plane where the person sitting next to me asks me to keep an eye on their device while they nip to the loo. While taking the device would arouse suspicion, a quick copy of the hard drive to a USB stick is unlikely to leave an obvious trace – especially to the untrained eye.
Of course, as an organisation you could make sure that information transferred from the device to a portable memory device is encrypted so that, if this were to happen, there would be little the thief could do with the information. That said, it wouldn’t stop the files and documents from being perused, and notes made, in the interlude.
5. Don’t lose devices
No matter how much we tell people not to leave devices behind, and let’s face it it’s often not done on purpose, it’s something that you will need to repeat at any given opportunity.
Of course, one way to get round this, and it’s not just me telling you this as it’s also the advice from the Information Commissioner, is to make sure all sensitive information is encrypted. That way if a mobile device goes astray, accidentally or maliciously, it’s just inconvenient rather than injurious.
6. Don’t be too obvious
The same way we’re told not to leave valuables on display in cars, or flash our money filled purses, consideration should be given to how, and where, we keep our mobile devices.
For example, laptop bags are very practical for carrying, well, laptops, but the problem with them is it’s hardly a secret as to what’s inside. Nothing screams ‘steal me if you can’ as a laptop bag that doesn’t have someone holding on very tightly to it.
7. Patch the device
I’m sure the majority of your workforce are frustrated by the plethora of pop-ups, when they’re power up their devices, asking for various updates to be installed. The problem is user apathy may mean that the ‘remind me later’ option is taken too often. It’s wise to advise your workforce that updates to their devices are vital to not only keep them in tip top condition but also secure.
These points may seem very basic, and yes they are, but the reality is we eat, sleep and breath security but the workforce doesn’t. The sad reality is the majority of security breaches experienced by organisations today are avoidable.
Grant Taylor is a UK VP at Cryptzone, a technology innovator of proactive controls to mitigate IT security risk in the key areas of Policy Compliance, Content Security, Secure Access and Endpoint Security. More information at: www.cryptzone.com
HRM Asia welcomes your contribution. Your IP address is recorded in the event of