You've checked all of the entry ways in your office building, you have surveillance technology in place, and IT assures you that your firewalls are bulletproof. But have you checked your staff's desks? That may be one of the largest holes in a company's security plan.
Desks and other work spaces often have items on or around them that contain sensitive information, and that information can be dangerous if it gets into the wrong hands.
Just how vigilant are employees when it comes to keeping sensitive information secure at the office? We tested our own staff here at CSO to see how secure the desks are in our offices. Also, employees can check their own security smarts by taking The Clean Desk Test). As we found out, even at a security publication, some staffers are pretty lax about keeping information safe. (And yes, we got our CEO's blessing before we went snooping around.) Here are the top errors we encountered in our after-hours inspection.
Writing passwords on sticky notes
This was probably the biggest offense we noted when we walked around the CSO office after hours. Several employees had sticky notes on their computer monitors with passwords and/or personal ID numbers written on them. While employees may have a difficult time keeping track of all of their passwords, writing that information down on a piece of paper and leaving it out for all eyes to see is never a good idea. Keep in mind that after the office closes, many strangers can access the work space. One can never tell when a person might try and use employee passwords to compromise an account.
Writing sensitive information on a white board
Staff often brainstorm together and write down their ideas on a whiteboard. Several offices here at CSO had whiteboards. We found one with client names and billing information written on it. The information would have been very valuable to any potential competitors. After a work session, employees should put information in a less obvious place and put it away after hours. Advise staff to erase all whiteboards regularly.
Leaving sensitive documents on the desk
Also on several desks, we spotted detailed client contracts with billing terms. Like the whiteboard, the information might be valuable to competition. But depending on who views it, the client's information might also be used for ill-gotten gains. Any documents with sensitive data belong in a locked drawer or container.
Leaving a calendar or day planner out on a desk
One day planner we found contained private sales-related information. But a calendar might also contain the agenda or travel itinerary of a member of the staff. Depending on the company, that staff member (an executive, for instance) might be a potential target. All calendars and day planners should be locked up or taken out of the office at the end of the day.
Leaving an access card out
We found one desk with an access card hidden under a keyboard. That's not much better than leaving it in plain sight -- it's like putting your house key under the welcome mat, the first place a thief will look. Access cards are used to protect staff from an unwanted intrusion. If an access card gets into the wrong hands, it can allow unauthorized people to roam around freely. Staffers should keep possession of their cards at all times.
Forgetting the printer
The printer in our office had several vendor contracts discarded in a pile of papers. After staff finish with printing jobs, they need to be mindful of any documents that were printed, even the ones that aren't needed, and dispose of them appropriately.
CSO Online is an InfoWorld affiliate.