The paper data breach

Robert Broxup

In the digital age, businesses place much emphasis on protecting electronic data, but very little seems to have changed in the way of protecting data on paper. Here are a few examples:

  • Charity – I am often approached on the street by a representative of a charity wanting monthly donations by direct debit. While listening to information about the charity, large quantities of personal data are often visible. The number of times bank details, names and addresses from earlier in the day are visible to me while engaging with charity staff, is quite incredible. We are not talking about obscure charities, but mainstream national and international names.
  • Banking – I recently entered one of my banks and was asked questions in the doorway about insurance products. The sales approach was to find out what people needed, then arrange a follow-up call to discuss the needs in more detail. This information was visible on a clipboard which included full name, address and contact telephone number. Again, this was at a high-street bank branch.
  • Car Hire – I once arrived to collect a car, only to see all the customer contracts arranged on the counter for everyone to see. The top pages included full names and addresses, price information and contact telephone numbers. These included my details.
  • Street Stands – most people will have at some point been approached by people asking what broadband they use, or what utilities they have, a pretext for a conversation about how their services are better value for money. So much personal information is visible to other people as a result of this activity. With so many new brands emerging and advertising in this way, it is conceivable that someone could set up a stand for gathering information for identity fraud. Conversations are often very intrusive and far exceed what is reasonable. Street stands advertising credit cards have become very popular over the last couple of years.

People need to be more careful. Beyond what I observed while interacting with businesses, I have also noticed the following while working professionally over the years:

  • Printed documents left abandoned on a printer for everyone to see. This disclosure includes visitors, and staff that may not be authorised to know the content; not to mention cleaning companies which often have a high staff turnover. Printers are available that require people to log on to print their documents. Unprinted documents are deleted from the queue if not collected, which saves paper as well as improving data security.
  • Documents left in meeting rooms instead of being securely recycled
  • Visitor sign-in sheets which sometimes include more details than needed
  • Unlocked filing cabinets and desk draws
  • Documents left on desks overnight

It is clear that while a significant focus is on digital data protection, exposure of personal data on paper is high.

Unwise Software Installations

Robert Broxup

The issue of viruses, ransomware, spyware and other forms of malware intended to cause harm, has become much more of a hot topic in recent years. However, this has not translated into a comparable increase in vigilance and due diligence when it comes to choosing software vendors and websites. Although many attacks come from vulnerabilities in software, it is far easier for malicious software to find its way into your corporate environment by allowing staff to install software themselves.

Malware is becoming more sophisticated, and the quantity of malicious software is quickly increasing. Technical solutions are evolving to protect against malware, but the concern voiced here is the culture of software installation and usage.  When left unchecked, this can easily result in harm, loss of data, loss of reputation and business. Anti-malware solutions are essential but relying on such solutions while allowing any software to be installed by anyone for any reason is a dangerous approach. An extra level of defence is needed.

  • Restrict endpoint permissions so that only key members of staff have the authority to install the software. Needing to involve an authorised person or team to have new software installed requires a justification which slows down the process. Whereas, if just one person is involved, they can easily install software on a whim with very little in the way of thought about the implications.
  • Have a published white list of software for use within the business, and defined policies in place regarding how to install software, and how new software is selected. Promote awareness of software installation policies throughout the company. Again, this aims to slow down the installation process or, more precisely, increases the time between an end-user deciding they need a piece of software to the software being ready to use on their desktop.
  • Remove all unauthorised software. Implementation of software installation controls are often performed at a late stage in business development and seldom implemented during any start-up period. Therefore, it is highly likely that when there is a requirement to enforce control of software within a corporate environment, it is because the business has lost control of its software.
  • Identify all executables on desktops and which application they belong to and remove all other executables. This approach can be time-consuming, and a more viable strategy is to define a standard image for endpoints which includes the operating system and all the software applications used by most staff. Applying this standard build will remove all traces of the previous installation and any unauthorised legacy software. The outcome is two-fold, cleanup of all old software, and control of new software.
  • Don’t install software from unknown or untrusted sources. The fact is, it is effortless to search for software online, find anything that is needed, and install the software very quickly. Websites giving away malicious software often look very professional, and many sites mimic known websites to capitalise on the credibility of legitimate websites.

Slowing down the process and giving time for appropriate software to be chosen and installed is essential and cannot be over-emphasised.

Avoid revealing employer’s clients

Robert Broxup

In previous blogs, ‘how much information is too much’ was discussed in detail along with how callers can compromise the supply chain with an inappropriate discussion which crosses lines. This article is a follow-up with more detailed examples for further clarity, and more within the context of how much information to include on professional profiles.

There will be a tendency to use details of employer’s clients to bolster your profile, but the message is clear, if you are willing to use your employer’s clients now to find a new job, you will most likely use your new employer’s clients in the future. This problem is significant in IT and is undoubtedly an issue in IT security. Here are some non-IT examples for illustration:  

  • Taxi Driver – if someone was a taxi driver for five years and they were applying for a new job, an employer would expect them to state the dates they were a taxi driver, and either the name of the taxi firm or that they were a self-employed taxi driver. Nobody would expect a taxi driver list clients or journeys. Doing so would neither be practical nor appropriate. A taxi driver is unlikely to do this, but it does illustrate the point.
  • Recruitment Agent – a similar example, an employer would not expect a recruiter to provide details of companies for which they recruit or people they have helped find work. Start date and end date is sufficient along with details of the job, such as specific domains of expertise. Willingness to disclose current employer’s clients illustrates the likelihood of revealing future employer’s clients.
  • A burglar alarm installer would not list where they installed specific types of alarm systems
  • Solicitors would not list their clients but would name the firm as their employer

Contracts of employment include confidentiality clauses, and separate non-disclosure agreements are often required.

Observing confidentiality in public

Robert Broxup

The saying ‘Loose lips sink ships’ was displayed prominently on posters during the second world war to advise military personnel and others to avoid chatter involving information that could be used by the enemy. A key question is to what extent does this apply now that mobile technology is everywhere. Undertaking 100% of professional work inside an office is a thing of the past; people work from any location including trains, aeroplanes and more commonly now in coffee shops. External observers can take advantage of the information on laptop screens, handwritten notes and discussions between people.

Earlier this year in London, while sitting in a coffee shop, I was close enough to overhear a conversation about a security incident. Sound travels, and without any real effort to listen or intention to earwig, it was apparent what these men were talking about and were concerned that a data breach may have occurred. Initially, the information could have been about any company, anywhere or any system. It could have been about their employer or one of their employer’s client’s systems. The details here have been left intentionally vague, but the conversation didn’t end there:

  • Clients won’t be happy – such a reference indicated that a data breach could have occurred with one of their internal systems involving their customer data, rather than a system belonging to one of their clients.
  • Branded stationery – overhearing a conversation was one thing but getting up for a coffee refill made corporate stationery visible without any effort or intention to spy; everything was in my face as I walked past them.
  • Laptop screensaver – companies often give away corporate stationery to clients for marketing and brand awareness. Therefore it was not a given that these individuals worked for the company whose branded pens were visible but returning to my seat and noticing a corporate screensaver on one of the laptops advertising the business was additional confirmation.
  • Identified vulnerability – the discussion overheard was sufficient for me to understand the nature of the issue and how someone would exploit it.

How to use this information requires little imagination.

Several years ago, I overheard two people discussing their wills over dinner in a restaurant and how they needed to get them replaced due to changes in circumstances. Shortly after, when a neighbouring couple was ready to leave, the man approached them and said, ‘Sorry, I couldn’t help overhear you mention that you needed new wills. Here is my business card. Give me a call’. This example is innocuous; however, depending on the context, the consequences could be quite severe, such as revealing information that could influence the stock market.

Thoughts include:

  • Avoid discussing sensitive issues in public.
  • Avoid using names of companies in the discussion. Using alternatives such as ‘we’ and ‘the client’ will often be more than sufficient.
  • Use anonymous tagging of corporate laptops so that nothing on the outside identifies ownership if it is lost or stolen. The value of the data on laptop computers will depend on the owner, and effort is less likely to be expended if ownership is unknown.
  • Remove visible branding from the operating system, so if it is lost or stolen, and someone turns on the laptop, it is not possible to identify the owner. More challenging than it sounds if the network domain name and the company name are the same.
  • Using BitLocker Device Encryption (Windows Vista through to Windows 10) with a boot-up password will prevent the operating system from loading until you enter the correct password. An unauthorised user won’t be able to identify corporate ownership.

Being security conscious in public places is essential. Almost every time I have coffee somewhere, I hear something which someone could use for malicious purposes.