Whether you work in an office or at a remote location, the physical security of sensitive or private information is critical to companies and customers. While it may be second nature for an employee to scan their badge when entering the office or connect to a secure wireless network on their laptop, these practices are part of the larger picture of a company’s physical security.
Regulated industries—for example, banking, insurance and dealerships—are under increased compliance scrutiny to protect customer information since they collect and store highly sensitive data. For instance, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions to disclose their information-sharing practices to clients and take steps to protect sensitive data1. A common practice to assess security practices and demonstrate compliance includes walk-throughs of a company’s physical space, as organizations are required to secure data against the myriad of ways online and physical security can be compromised in today’s technology-driven environment.
Consider the two common scenarios below. What do you recognize as a best practice for physical security, and what could be improved?
Scenario 1: Employee Working in an Office
A senior associate at a consulting firm commutes to her office each day. She scans an access badge to enter her company’s floor of the building. She can walk throughout the office without needing a badge, but if she uses the stairwell to go to another floor, she needs to scan her badge to get back inside. The senior associate typically brings her laptop home each night. When she knows she is not going directly home, she leaves it in a locked drawer of her desk.
This evening, she is rushing out the door to meet a potential client for dinner. She quickly clears her desk of stray papers, locks up her laptop and dashes out of the office. Unbeknownst to her, she forgot to retrieve one of the documents she printed.
- THE GOOD: It is great that the senior associate locks up her laptop when she does not take it home with her. Her office is using strong physical security practices by requiring her to use a badge to enter the company space at any entry point. Remembering to clear off papers from her desk helps support a clean desk policy, so that cleaning or maintenance staff will not inadvertently see sensitive client data after hours.
- THE BAD: Leaving documents at the printer is one of the most vulnerable spots in an office setting. If a document contains any sensitive client information, like addresses, credit card numbers or Social Security numbers, this is a high-risk security event. Even if the printed document does not contain any of the information above, it could convey proprietary information that may not be appropriate for people in other departments—or those outside the company—to see.
- THE UGLY: The senior associate was not aware of the walk-through being conducted on her floor the same evening as her client dinner. Not only do the assessors see documents left at the printer, they check each employee’s desk. While they see a clean desk at her station, they attempt to open each drawer and look under her keyboard for any unsecured information. They find one drawer unlocked, containing a jumble of papers, including a written down reminder of her password. While someone would need to thoroughly search to find sensitive information in this scenario, it still presents a risk to the company should intruders gain access to the space.
Scenario 2: Remote Employee
A vice president works remotely 80 percent of the work week. He uses a home office, though he occasionally will work from a coffee shop, hotel lobby or airport lounge. He always makes sure to use a secure wireless network or the company-issued MiFi. In public, he uses a screen protector on his laptop, so that his work is not visible to others. When traveling for work, he turns off his laptop and leaves it in his hotel room; on the rare occasion when he stores his laptop in the rental car, he locks it in the trunk.
One evening, he was working late from his home office and walked away from his open laptop to make dinner. His son saw the open laptop and used it to search for a video game. The search took him to a gamers’ forum. He clicked on an ad link in the site.
- THE GOOD: The vice president is following a security best practice by using the company’s MiFi network, which will help keep his internet access safe. Also, by only using secure networks, he does not make his laptop vulnerable to hackers. Using a privacy filter screen is a good idea to keep sensitive information from being widely visible in a public place.
- THE BAD (AND THE POTENTIALLY UGLY): Leaving his laptop unlocked, even in his own home, exposes him and the company to risk. While his son did not expose his laptop to a virus, any browsing that leads to sites unrelated to business could potentially lead to a security threat for the entire network.
Key Takeaways for Physical Security
Building from the best (and worst) practices highlighted above, keep these 10 takeaways in mind as you look to enhance and maintain your company’s physical security:
Five things to know if you are an employee:
- Do not leave important papers on your desk overnight.
- Never pick up a stray thumb drive and insert it into your computer. These devices have been known to contain malware that could infect your computer.
- Check the printer before you leave the office to verify you have not left any sensitive documents in the printer tray.
- Always lock your computer when you step away from your desk – even if you are only gone a few minutes.
- Never use an open Wi-Fi network, and check that AP isolation is enabled on your laptop (this prevents other wireless devices connected to the network from being able to communicate with each other; therefore, lowering your risk of being hacked).
Five things to know if you are a company decisionmaker:
- Always authenticate visitors to your office – use a visitor log, require a photo ID and have front-desk team members verify the visitor’s appointment with the requested employee.
- Provide employees with a company MiFi network to increase data security when working remotely.
- Enforce a no tailgating policy for the office. Tailgating is when an employee holds open a secured door for someone to enter, especially if you do not recognize the person.
- Provide secure shred bins for the office to be used for any sensitive papers with client names and other personal data. This limits the risk that sensitive information could be uncovered by dumpster divers.
- Remind employees to never leave their access badges unattended or leave any security key fobs in their computer when they are not present.
Follow these best practices to provide physical security at your business, as well as employees who travel, work remotely or are based in the office.
About DHG IT Advisory
DHG IT Advisory works with companies to manage technology risk while maintaining data integrity, protecting privacy and complying with regulations. From project management and regulatory compliance assistance to digital forensics and incident response, DHG is equipped to meet your IT advisory needs that drive your business. To learn more about DHG’s IT Advisory services, visit dhg.com/itadvisory.
- Federal Trade Commission (www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act)
If you experience issues with this form, please use a different web browser or contact us at firstname.lastname@example.org