Clear Desk and Clear Screen
In the course of my engagement with several organizations recently, I was amazed at low information security consciousness around work area – desks and computers. With the acceptance of open offices in many industries and the need to share computers at the workplace, inadequate handling of sensitive information could expose both the employee and the organization to the risks of unauthorized access, loss of and damage to information during and outside normal working hours. The resultant effect is adverse impact on reputation, finance, and health and safety.
Businesses handle sensitive information – employee and customer personal information, intellectual property, business plans and strategy, and financial – and they rely on employees to manage and protect such an asset. However, many of the employee practice what I tag “conveniency” – scribble passwords on sticky notes, document login information of critical systems or services in notepads, keep files with sensitive customer information on their desk or on the computer desktops or unlocked drawer, and the likes. Many employees meet with colleagues and/or clients on their desks cluttered with sensitive documents without considering possible prying eyes. Some do not monitor the activities of computer support engineers at their desks to resolve issues. The computer or the information on the computer could be compromised within moments. Few pages could be stolen from a sensitive file kept in an unlocked drawer or cabinet. Once a breach occurs, the impact could be significant.
It is important for every employee to be aware of the security implications of being careless with papers on or around the desk with sensitive information and having unattended computers with critical information.
Here are some of the implications of practicing inconsistent clear desk and clear screen at the work place:
- Fraud and Impersonation
People do change; unless you are a mind reader, you cannot tell who wants to sabotage you or the organization. Sometimes, it could be curious eye that wants to see what it is not authorized to see. When you leave unattended computer, you expose yourself and your organization to risk of unauthorized access. If you also leave documents open in plain view while absent from your work area, you stand to be taken advantage of. Incidents such as fraud, theft, impersonation, and so on occurred in some organizations implicating an employee who left his computer unattended. Be warned.
- Unauthorized Access
When you keep both your desk and screen unattended, curious passerby could observe information they should not have access to. Computers left unattended provide the opportunity for malicious data input, modification, or deletion, often to the employee’s blame.
It is obvious that keeping a clean desk and clear screen at work is vital in preventing against information theft and data breaches. It also reduces the chance of sensitive information being viewed or taken by someone who doesn’t have permission, whether it’s another employee or visitor to the office. Anything inconsistent with a good practice is unprofessional and non-compliant to global standard (ISO 27001 – Information Security Management System).
Imbibing the Culture
A culture of clear desk and clear screen should be imbibed to ensure that sensitive information, both in digital and physical format, and critical information systems are not left unprotected at workspaces when they are not in use, or when someone leaves his work area, either for a short time or at the end of the day. These are some good practices worth adopting:
As an organization
- Implement Clear Desk and Clear Screen Policy: ISO 27001 (A. 11.2.9) indicates that a policy around the subject is necessary covering papers and removable storage media and information processing facilities. The policy should mandate employees to practice protecting all papers on or around their desks; logging off and/or shutting down their computers when leaving for the day or lock them at the time of moving away from desks momentarily. The policy should be documented and communicated to existing employees and for new intakes during on-boarding.
- Run an Effective Awareness program: Create further awareness that will ensure that all employees use keyboard shortcuts – Press CTRL+ALT+DEL and clicking Lock this computer or Press Windows Key + L and your computer will lock automatically – to regularly lock unattended computers.
- Assign Accountability for Information Security: Most importantly, establish structures and processes to enforce this policy and other information security policies.
- Use Technology to Enforce Control: Deploy company-wide time-activated screen savers, screen lock and password protection to minimize chances that someone takes advantage of unattended equipment.
- Regulate Printing and Copying: The use of printers, photocopiers, scanners and cameras should be controlled, by reducing their quantity and use or using code functions that allow only authorized persons to have access to material sent to them. And any information sent to printers should be retrieved as soon as possible.
- Establish Good Document Management System: Go paperless as an organization; in that way, documents will not be printed unnecessarily, and sticky notes will disappear.
As an Employee consciously
- Use of Physically Secure Storage for Papers: Paper documents, USB flash drives, memory cards, mobile devices and other sensitive information containers should be protected in lockable drawers, cabinets, safes, and file rooms when not required, or when there is no one to take care of them.
- Take Seating position to Protect Your Work Screen: Computers or devices should be positioned in such a way to avoid people passing by to have a chance to look at the screens.
- Clear Boards at the End of Meetings: Ensure that all information on white boards are erased or those on flip-charts put away after a meeting. Shred all undesired pieces of papers used.
A lack of security consciousness around the workspace leads to compromise on sensitive personal or organizational information. When proprietary data, passwords, confidential documents, financial data, trade secrets, and sensitive emails are not deliberately protected from those who are not authorized to access them, they could be disclosed thereby impacting privacy or a competitive edge. If you do not protect documents containing critical information about your company’s new product formula, disclosure can cause competitors to beat your go to market thereby adversely impacting expected revenue. Whether it is by accidents, human errors or malicious actions, these negative results can be avoided by the adoption of a disciplined culture of clear desk and clear screen when going away from your work area. Act now. Exhibit duty of care toward sensitive information in your custody for your sake and that of your employer.
Sunny Ukeachu is a Technopreneur, Teacher and Security Consultant. He is a Fellow of the Nigerian Institute for Industrial Security (NiiS) as well as a visiting lecture at the Institute and other resource centers where he imparts and mentors professionals. He is a prolific transformational leader with excellence. He is a multi-award winner and speaks at conferences. He holds dual first degrees in Computer science and Business Computing respectively and an MBA. He also holds several certifications.
Reach him on: Sunny.firstname.lastname@example.org