By John Brenberg
The sad reality for many corporate security professionals is this: Workers simply don’t apply the same vigilance to protecting corporate information as they do for their own personal information.
Workers who carefully shield their ATM screen while entering a PIN may make no attempt to cover their keyboard when logging into a work email account from a laptop in a public place. Or they may not think twice about leaving network log-in information taped to a computer monitor at work.
Similarly, workers who shred personal documents containing sensitive bank, credit card or medical information may be less cautious when handling sensitive corporate information. This could include reviewing corporate earnings information in view of potential onlookers while on a train ride home, or leaving a USB drive that contains details of a new product launch sitting on a hotel room table while attending a conference.
The fact of the matter is that a corporation’s ideas and closely guarded information can be targeted and “pickpocketed” just the way our personal information and valuables can. Especially as companies continue to spend record amounts on cyber-security—reaching an estimated all-time high of $75.4 billion this year—cyber-attackers will seek new weaknesses to exploit. That includes targeting employees who have access to their company’s networks and valuable information.
The challenge is clear: How can you get employees to break bad habits and protect corporate information with the same diligence they use for their personal information?
Employees are more likely to help protect your company’s intellectual property and other sensitive data if they understand what’s at stake. So, if possible, attach a dollar figure to projects, such as the revenue anticipated from a new product introduction or the potential financial impact of a pending acquisition. Understanding the larger financial implications can help employees comprehend the greater value of their work, which should motivate them to protect it from malicious outsiders.
Given the highly collaborative nature of today’s businesses, this awareness campaign should extend beyond the executive level to reach all stakeholders who access and handle sensitive information. They include marketing, accounting, research and purchasing professionals, as well as third-party organizations.
Identify Environmental Risks
Your employees work in a range of different environments, each of which can contain different threats to your sensitive information.
A growing number of businesses are using open-office floor plans to help drive employee collaboration. But these working environments also offer little privacy and may be susceptible to visual hacking, which is the unauthorized viewing or obtaining of sensitive, personal or private information for unauthorized use.
Fewer physical barriers can give a vendor, cleaning person or even a malicious employee more opportunities to view or capture sensitive information, whether it’s displayed on an employee’s screen or left out on a desk in hard-copy form.
The risks extend well beyond the confines of your offices. Employees who can access company networks and sensitive information using a laptop or mobile device also risk falling prey to hackers—whether they are on their daily train commute, working remotely from an airport or coffee shop, or attending a conference.
A risk assessment can help you identify the various risks encountered in different environments, whether inside or outside your company’s walls.
After conducting an assessment, the proper policy and technology changes can be put in place.
For example, it is generally a good policy for IT departments to give workers a loaner computer and perhaps even a loaner phone when they travel. Using these “clean” devices may help limit the information available to cyber-hackers and visual hackers in case a device is compromised, lost or stolen.
Policies should also be in place for workers traveling or working in regions where the expectation for privacy can be significantly lower than it is in the United States and other industrialized countries. The FBI has developed a number of warnings and recommendations to help workers protect company information when working abroad. These include:
· Be aware that your conversations may not be private or secure.
· Don’t leave electronic devices unattended.
· Clear your Internet browser’s cache, cookies, history and temporary Internet files.
· Avoid having non-company computers log on to your company’s network.
· Don’t allow foreign electronic devices to connect to your computer or phone.
· Know that wireless and other communications may be intercepted.