The following articles have already been published in the cycle concerning the rules of secure behaviour on the Internet:
- Security in the digital world – spear-phishing/whaling
- Security in the digital world. Ransomware 2020
- Security in the digital world. Secure use of the Internet browser
Today’s episode is about physical security
Company data protection starts with physical access to the workplace and the carriers with confidential data. These are paper documents, hard drives, CDs/DVDs, tapes, flash drives and many more. It can turn out that hackers or thieves will find data, which might compromise your company or bring trouble, even on a floppy disk buried deep in a drawer and dumped to a litter bin next to the office. Our homes and cars are under the same threat. In the case of a burglary and finding devices with company data or documents, they can become the same source of data leak as if they were taken out of the office.
So we should not be surprised with the presence of security guards, cameras, boom barriers, safes. All this should serve as the first barrier, which is supposed to discourage potential burglars.
Sensitivity of company information
A conversation about business affairs in public places or in social media can end up bad for you or even for the whole company.
A data leak can happen even during a phone call about business matters, if you do it in public, e.g. in the street, in a cafe, a restaurant, on a bus. Unauthorised persons can obtain information that shouldn’t come to light.
Company data must be protected from unauthorised access also inside the company. Only selected people can have access to the most confidential information.
For this reason, access should be secured (by a password, code, certificate etc.), appropriately controlled by the authorisation level, and monitored. This is particularly important due to protection of personal data – GDPR.
Use appropriately secured hardware for processing data. Usually, the company standard specifies the configuration. Conditionally permitted private devices on the BYOD (bring your own device) basis are an exception. The use of company hardware, in turn, should be restricted to work activities. This will ensure installation of only such software that is necessary for work, minimisation of the risk of downloading a malicious code, and streamline work. The browser will have a clear history, the Facebook account won’t disturb at work and won’t be the reason for a company data leak, even by accident.
Watch out who you’re talking to
Apart from the place where you talk, it’s also important to know with whom you are talking. How many times were you afraid of asking about the details of the person who called you because they didn’t introduce themselves?
Nowadays this is one of the data acquisition methods that are used most frequently by hackers: pretending to be a representative of a known institution. The caller appears trustworthy because they give much information about themselves and the matter in which they are calling. This is how they lull you. Next they ask questions about sensitive data, e.g. credit card numbers, business secrets, etc. Don’t be deceived by a familiar telephone number, e.g. of a bank – unfortunately, it is easy for hackers to crack the presentation of a telephone number.
The situation is similar with the social media. You can encounter many fraudsters, who hack accounts of your friends or colleagues or pretend to be representatives of known companies in order to ask you for secret information or money.
Order on the desk and on the computer desktop
Data security is not easy if your desk is in disorder.
When your desk is tidy, you’ll notice an accidentally left flash drive, hard drive or confidential document faster. The same applies to the documents saved on the computer. Desktop cluttered with files, folder structure in disorder – all this can make you overlook important confidential information, which should not be there.
Keeping security in the office
You come in the office everyday and you do this rather routinely. You don’t wonder if special precautions should be taken. Let me give you a few pieces of advice, which will facilitate secure work:
- If the entrance to a room is protected by a code, look around before entering the code to make sure that no-one is peeking. Cover the keyboard with your other hand. Do the same when entering your PIN at the ATM and in the shop. At these places you can additionally cover the card number with your finger when taking it out, or don’t take it out completely. In the case of contactless payments you even don’t have to remove your card from the case, unless it is protected from near field communication (NFC).
- When you open a door, someone might try to go inside together with you: don’t let strangers in.
- Use company hardware for work purposes.
- When leaving the computer, lock it.
- Don’t keep unnecessary documents on the computer. Delete them such that they cannot be recovered when the computer gets missing.
- It would be best if the computer acted only as access to data, not as a place of their storage. You can keep data on shared drives, in the cloud.
- Log out applications once you no longer use them.
- Take the smartphone with you.
- Don’t keep data carriers on your desk. Hide them after use, preferably in a locked cabinet or drawer.
- Don’t connect unknown devices to the computer, don’t use “lost” memory carriers.
- If in doubt, report them to the IT department and your superior.
- Don’t take photographs of documents with a smartphone – this way you can share them with unauthorised persons even by accident.
- Don’t leave paper documents unattended.
Keeping security outside the office
When working outside the office but with company data, you have to remember about a few more issues. Above all, it is you that is responsible for the secure use of the company hardware and data you use while outside the office. The IT department is unable to guarantee the security of your environment and Internet connection. This is why:
- Use company hardware for work purposes.
- When leaving the computer, lock it.
- Don’t keep documents and carriers with company data at home.
- Both your company and your private car are equally vulnerable to burglary. Don’t leave laptops, smartphones and documents there.
- When working outside the office, use VPN connections.
- Don’t use public WiFi networks unless necessary.
- Try not to enter login data to applications with confidential data in public places. Someone can peek them from behind your shoulder or on a camera. In such cases it’s a good idea to set up biometric logging or a PIN that is assigned to the device rather than the user account.
- Use multi-factor authentication (MFA, 2FA) – this will protect, or at least make it considerably more difficult to intercept, your user account in the application in which you set up such access.
- Don’t ever lose sight of mobile devices. They are an easy target for thieves.
- Don’t talk about work topics in public.
- In this article I have presented my insights and experiences related to the physical aspect of company data security and tried to make you aware of how easy it is to expose them to unauthorised access.
The cycle of articles concerning security on the Internet does not exhaust this topic. Hackers use new methods to acquire confidential company data or to extort ransom for them (ransomware). Keep vigil and don’t be deceived!
Do you want to raise the awareness of your employees? Become familiar with our offer related to cybersecurity training. We deliver training to companies from the public and private sectors. Thanks to the training, your employees will gain invaluable knowledge that will make your company resistant to cyber attacks.
We serve over 200 companies from around the world on a daily basis, taking care, among others, of data security. An unaware employee is a big threat to the organisation, so don’t hesitate and purchase training today. Contact us!
Administrator i Trener Microsoft w Support Online