When was the last time someone misplaced an important report at work? How about the last time someone saw something they shouldn’t have?
#DataBreach fact: the average #office loses 1 out of every 20 paper documents https://t.co/x5IA6cJRU9 pic.twitter.com/vKHto6sxkg
— Shred Nations (@shred_nations) February 8, 2017
When you rely on email or mail to send reports to clients and employees, you introduce a lot of external security risks. But did you know that you also open the door for many internal security threats?
Your employees’ everyday habits can create big security threats. Often, they don’t even realize they’re putting private information at risk.
Here are 6 of the biggest internal security threats in your report management process—and how you can solve them quickly.
1. Prying eyes
Over 70 percent of offices have open floor plans. Regardless of whether you think they’re amazing or the absolute worst, it’s unquestionable that they introduce security risks.
Google got it wrong. The open-office trend is destroying the workplace https://t.co/6fv876mmzZ pic.twitter.com/mfBgSnQxXw
— Marsha Collier (@MarshaCollier) February 6, 2017
Open office? Unassigned seating? Mobility? Philips' NA HQ, designed by @MPA_Boston, incorporates it all successfully https://t.co/RAKHPTrhBK pic.twitter.com/1VfKzA5J0T
— Stegmeier Consulting (@WorkplaceChange) February 8, 2017
In an open office, most employees don’t have physical barriers guarding what they’re working on. Whether they’re distracted on Facebook or reviewing credit card information for monthly invoices, everyone in the office can see.
Coworkers, package deliverers, and visitors could glimpse sensitive information just because they don’t stare at their feet as they’re walking through the office.
Multi-monitor setups and large monitors make visual eavesdropping easy. If it’s easier for the employee to read, it’s also easier for the person walking by to read.
Without a complete office redesign, you have one option: get a privacy screen.
Privacy screens are a small investment compared to the cost of a security breach.
2. Abandoned computers
Everyone needs to step away from their computer throughout the work day. Maybe it’s to stretch their legs, run to the bathroom, go to lunch, or join an impromptu meeting. They could be away from their workstations for anywhere from under 5 minutes to over an hour.
How long should employee computers be inactive before they lock and go to sleep?
When you see multiple attended computers with their screens awake as you walk through your office, something needs to change.
Often, employees get to customize this for their needs. No one wants their computer going to sleep every 60 seconds. Some even set their monitor to never sleep.
If you walk through your office and see multiple unattended computers with their screens awake, it’s time to initiate change.
An easy solution is to send an email like this:
Happy Tuesday, [employee first name]!
Lately, I’ve been finding ways to improve the security of sensitive information in our workplace.
This week, I’d like to focus on what you do when you walk away from your computer.
First, please lock your monitor whenever you leave your workstation. If you’re simply turning around to chat with a coworker, you might simply minimize your windows so only your desktop shows.
Second, I know it’s easy to forget to put your monitor to sleep. To prepare for those times when you do forget to put your monitor to sleep, you should set your monitor to sleep and lock after 5 or fewer minutes of inactivity.
If you’re a Mac user:
- Open System Preferences
- Open Energy Saver
- Slide the bar for “Turn display off after:” to 5 minutes
- Go back to System Preferences
- Open Security & Privacy
- Check the box to require a password X minutes after sleep begins. Set to “immediately” after sleep begins.
- All done! Thanks for doing your part to keep our data safe!
This is a simple step that goes a long way in protecting the sensitive data you handle every day.
Do you have an idea for other things we can do to enhance data security? Please let me know! You can reply to this email. Better yet, stop by my office on the 3rd floor. I’d love to chat with you!
Thanks for all your hard work!
Susie Sunshine
Chief Information Security Officer
3. Unattended printers
Going paperless isn’t something that happens immediately.
Unless you’ve removed every printer from the building, employees will continue printing sensitive documents.
Their justification might seem reasonable:
- It’s easier to read when it’s on paper.
- A physical copy means I don’t have to switch between as many windows.
- I need a copy that I can access when the wi-fi goes down.
- I like reading it on the bus when I commute in the morning.
But the problem with printing reports is that they rarely get picked up from the printer immediately.
Daily routine:
Print something again
Forget to pick up thing on printer— Tom Wuttke ? (@tw) August 2, 2016
Minutes, hours, or even days pass with the report sitting on the tray for all to see. Employees who don’t have clearance to see the sensitive information will see it when they pick up their own documents from the printer.
There are a few ways you can minimize this security threat:
- Group printers by security. So, there’s one printer for documents with credit card information. And another for documents with social security numbers. And another for documents without sensitive information. Et cetera. Any forgotten reports won’t be restricted information to others visiting the printer.
- Hire someone to babysit the printer. Have a person collect and sort printed documents. Then, when someone picks up their document, the person can hand them the correct document without showing them the rest of the documents waiting to be picked up. A maximum of two people will see each document.
- Shred leftover documents at the end of each day. If someone hasn’t picked up their document by the end of the working day, they probably didn’t actually need it. On their way out each night, ask a trusted employee to shred documents that are still sitting by the printer.
4. Unprotected attachments
On the road to becoming paperless, it’s common to move from printing documents to emailing them.
Instead of remembering to pick up the reports they printed off, employees only have to refresh their inbox.
But what if you send the report to the wrong person? What’s to keep them from opening the report and using the sensitive information inside for their own gain?
Solution: encrypt your emails and the files you attach.
If you use Outlook, it’s a simple 4-step process to encrypt messages and attachments you send.
There are also many file encryption tools if your mail provider doesn’t support encryption to the level you’d prefer.
How to Encrypt Email Attachments http://t.co/xsYkWehOM1 #encryption #privacy pic.twitter.com/nxC4uEwG1N Protect Americans' Privacy!
— A.T.O.M. (@atomsoffice) August 22, 2015
Ultimately, your goal is to make sure only your recipient can read your attachments, regardless of how secure their network is.
5. Unlocked filing cabinets
Unless you work at a company that has been paperless from day 1, you’re going to have plenty of filing cabinets in your office.
They could hold employee personnel files, invoices from last year, or contracts with all your clients.
You probably have at least 1 filing cabinet that you actively add new documents to.
Who has the key for each of your filing cabinets? Where do they keep the key? Please don’t say that they keep it in their desk drawer or that they lost it.
https://twitter.com/Mitchel_Cleland/status/807321223474446336
Granted, it’s less likely that someone will accidentally see sensitive data in a filing cabinet than if they were walking past a coworker’s open computer.
That doesn’t mean it’s less of a security risk. In fact, I would argue that it’s more of a security risk because anyone mousing through filing cabinets they shouldn’t be in probably has bad intentions.
This is an easy solution: buy filing cabinets that have locks. You can get ones that have one lock for the whole cabinet or separate locks for each drawer.
6. Poor disposal
When you’re done with sensitive documents, how do you get rid of them?
You don’t have to keep them any longer for compliance, and you know your business won’t need them in the future.
Do you…
- Throw them away
- Recycle them
- Shred them
- Burn them
Hopefully, you don’t crumple them up and throw them away with the plastic baggie that held your sandwich for lunch. Dumpster divers can legally retrieve these papers once your garbage is in public view.
https://twitter.com/CZen11/status/823993491525160963
If you work at a large company, you probably have locked shredders that a disposal company picks up periodically. Smaller companies can arrange for annual or one-time disposal from similar companies.
For those of you with extra time on your hands (or if you don’t want to bother with an external company), there’s another option. After shredding or tearing documents, mix them with a bit of water until they’re an unrecognizable pulp.
That may be more work than it’s worth, though.
All 6 of these security threats are simple to resolve. But don’t start bugging employees about how they need to be more careful with sensitive documents just yet.
You can’t blame your employees’ habits entirely.
The root problem may be how you’re sending reports to employees. Emailing or printing and emailing reports can be dangerous if employees aren’t up-to-date on how they should be protecting sensitive information. As much as you train employees on ways to reduce security risks, changing how you distribute reports can eliminate most of that risk.
By automating your document distribution, you mitigate the security risks above.
Ready to learn more? Check out our free guide on 8 of the best benefits of automating report management.