The latest intelligence on Al-Qaeda, a high profile Child Protection report and plans for policing the London 2012 Olympics; three very different documents with two things in common: firstly, they all contained highly confidential information and secondly, they were all left on a train.
In each example, an inquisitive fellow commuter picked up the folder, took one look at the contents and promptly handed it to a newspaper. In each case, the newspaper in question was happy to return the folder to its rightful owner after having used the information to craft a front-page news story that was both embarrassing and reputation damaging for the companies ultimately responsible for managing the information.
On reading the subsequent news stories, no doubt many people wondered how anyone could have been so careless. But just how many of us undertake work while commuting with little regard for the security of the information they are working? These few high-profile incidents may have grabbed the headlines but the journey to and from work places every company’s information at risk. Employees are leaving files on trains, laptops in bars, and dropping memory sticks in car parks. Then, there’s the employees who inadvertently display company information to fellow commuters and think that the commuter train is the ideal location to talk sensitive company business on the phone.
As commuter belts grow ever wider around our urban centres, workloads are getting heavier and the working day seemingly longer. Inevitably, many face longer journeys into and out of work (Eurostat puts the European average at just over an hour a day for large urban areas). Consequently more people use their travel time to keep on top of their work load. But information is never more at risk than when it is on the move.
Our latest research reveals that two thirds of Europe’s office commuters have no qualms about peering across to see what the person sitting next to them is working on; and more than one in ten (14 per cent) has spotted confidential or highly sensitive information.
The growing use of mobile devices such as smartphones, tablets and laptops has exacerbated the trend of working on the move. But paper documents appear to remain the most vulnerable. They are easily forgotten or disposed of carelessly.
For employers and their lawyers, this type of inadvertent disclosure is a grey area, particularly if the information spotted or overheard turns out to be rather useful competitive intelligence.
The gathering of competitive intelligence is a legitimate business practice, but the line between what is legal and what is ethical can be a fine one. Guidelines produced by law firms often focus on formal anti-trust activity and the kind of information that employees can and cannot solicit or accept from competitors, suppliers or customers; glossing over the far murkier waters of what to do with information that is obtained by accident. That is, if leaning over someone’s shoulder to read what they are doing or eavesdropping on a conversation can ever be said to be ‘accidental’.
Those brave enough to venture into this field find themselves having to trust employees to understand that some behaviour, while not exactly illegal, is still unethical, and honour and integrity should prevent them from taking some of the opportunities they may find themselves presented with.
In other words, when it comes to information gathering, overhearing a loud conversation between your top competitors on the train is generally not unethical; but deliberately manoeuvring your way to the seat behind them so you can hear exactly what is being said, probably is. Similarly, seeing confidential company information on the laptop screen next to you on the plane is not unethical; but scrolling through the slides while the author is in the washroom is more questionable. Reading documents left behind might be okay but stuffing someone else’s documents into your bag while they’re not looking is theft. Every one of us has a line we are not prepared to cross, and it’s down to the company to establish guidelines and policies to ensure everyone knows where the line should be.
The need to harness and sometimes adjust individual moral codes when it comes to appropriate business practice is incredibly important. One of our earlier studies showed that most people (52 per cent of office workers in Europe) are happy to seize the opportunity to discover confidential information about a competitor and to share it with their employer (51 per cent) – and often regard this as a positive and loyal course of action.
In fact, most employees believe that information exposed in a public area is fair game, and keeping it safe is entirely the responsibility of the person failing to keep it secure. There are practical things an employer can do to protect the organisation and its employees from such activity. These include proper education on information security for all employees, a shared sense of data responsibility and equipping employees with the IT tools to securely manage and handle information while travelling (such as passwords, device encryption, privacy screens and ensuring that sensitive information is only sent over secure virtual networks). It is particularly important not to forget about paper – hard copy documents can be taken out of the business without anyone knowing they’ve gone or who’s got them.
Accidents will happen, but you can keep them to a minimum by educating, supporting and enabling your employees. At the end of the day, most people are honest and want to do the right thing; people just get tired or rushed or distracted and then it goes wrong. None of this is new of course. Wartime propaganda urged those at home not to discuss the movements of troops or supplies for fear of yielding an advantage to the enemy: “loose lips sink ships” and “careless talk costs lives” and many variants thereof were memorable slogans. With the language of military engagement so often used for business purposes, perhaps firms should think of similar campaigns to keep their critical information safe when it’s on the move.
Christian Toon | Risk and Security at Iron Mountain | @christiantoon
Bio: Christian Toon, has a wealth of experience in the industry and ensures that governance, risk and compliance requirements are met within both new and existing contracts from across the continent. These contracts include some of the industry leaders in business today. He enjoys the challenge that comes with interpreting customer problems and solving them with a risk-based approach, with strong interests in the causes of data breaches, identity theft and bring your own device.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.