Workplaces are data-rich environments, however, certain locations found in offices worldwide are hotspots for sensitive or classified information, and they put organizations at risk for data breaches.
Kroll Advisory Solutions has recently released a new list of “data-rich locations” in offices, along with ways to minimize risk.
Laptop Computers and Mobile Devices
According to Kroll Advisory Solutions, laptops have always been a major source of breaches, but the new fervor for Bring Your Own Device (BYOD) trends is pushing the risk even higher.
According to the 2012 HIMSS Analytics: Security of Patient Data report, 31 percent of respondents indicated that portable device use was among the factors most likely to contribute to a breach. That number is up from 20 percent in 2010 and four percent in 2008.
Minimize Your Risk: If BYOD is permitted at your organization, certain minimum levels of security must be required. General best practices include device access control through passwords; specific, company-approved security software; and company access to remotely destroy data if the device is ever lost or stolen, the report says.
In most instances, the convenience and popularity of BYOD with employees will outweigh any inconvenience brought on by added restrictions.
Voicemail Systems
Most voicemail systems are protected by little more than a four-digit password. In some cases, unauthorized users who manage to guess the code can actually listen to the messages and then reset the system to appear as if the messages had never been accessed, the report says.
Minimize Your Risk: Voicemail, similar to email, is a recorded communication and should fall within an organization’s data security and privacy guideline for employees. Guidance should include what type of information is or is not acceptable for voicemail messages, as well as a firm stance against default passwords like 1234. If possible, use passwords longer than four digits and log the date and time that messages are access to help users identify questionable periods of use that may signify unauthorized access, according to the report.
Conference Calls:
Many employees have the habit of using the same conference bridge and access code repeatedly, especially for regular meetings.
Minimize Your Risk: If an employee leaves the company, change any access codes to meetings that he or she regularly attended, also making certain to remove that employee from any meeting notification lists. In all cases, Kroll Advisory Solutions says, opt to receive an end-of-call report that gives details on the number of dial-ins to help you identify any
stowaways.
Mailrooms:
Mailrooms are a hotspot in that they are a hub of receiving sensitive information and also a way of sending data off the premises. The report cites cases where insiders can exfiltrate media storage devices, such as USB flash drives, by mailing them out in a standard USPS box.
Minimize Your Risk: Place appropriate-to-their-job limits on employees’ access to company data. Restrict the ability to download the information to personal devices by blocking access to USB ports or other means of retrieval.
Your Employees:
Employees should be considered targets in their own right, especially given their role in securing and interacting with sensitive data. Social engineering tactics are always evolving, such as “spear phishing,” which takes aim at employees with the intent of duping them into doing something they shouldn’t.
Minimize Your Risk: Start employee privacy and security awareness training programs, and include third-party vendors and contractors, the report says. These events will strengthen your employees’ ability to recognize the signs of an attack or threat. Other than this, organizations can increase their detection and prevention methods, enhancing monitoring and logging activities, and blocking attacks with Web filtering.
What other data security hotspots do you find in your organization? Share your best data security practices with us in a comment below, or email Security Associate Editor Claire Meyer at meyerc@bnpmedia.com.
