Clean Desk Policies Are Important To Security
The lines between IT Security and Physical security are often blurred. In fact, they are strongly related. Not every IT security breach starts in a hacker’s basement. Sometimes, good old fashion industrial espionage gives a cyber-criminal the keys to a company’s “virtual kingdom”.
We are all busy during the workday and in the evening we just want to go home. Many of us figure that only the building personnel such as cleaning people are in the office at night, and they couldn’t care less about what’s on my desk. And you’re right — most of the time. But, can you really be sure that:
- The only ones entering the premises at night and/or on weekends are authorized building personnel?
- Those who do gain access to your office space during off hours are not interested in making money on the side by selling confidential information or are hackers themselves?
Well, you can’t be sure; and as business owners, office managers, and executives, you’re inviting trouble by not enforcing a strict Clean Desk Policy.
While working for large organizations in the past, I’ve seen countless instances where client files, contracts, names and addresses, social security numbers, financial information etc. are left on desks at the end of the day. It’s amazing at the amount of exposed confidential information you’ll find just by walking through your office after everyone has gone home.
When implementing a Clean Desk Policy, put it in writing and make sure everyone gets a copy. Additionally, meet with your employees to explain why this policy is being issued and its importance.
Here are some things to consider for your Clean Desk Policy:
- Require all computers to be password protected.
- Require employees to have password enabled screen savers set for a maximum of 5 minutes so whatever is on their screens is not exposed during the workday when they’ve left their desks for long periods of time.
- At the end of the day, require all employees to close any applications they have opened and log off their computers.
- Do not leave laptops exposed at the end of the day or unattended for extended periods of time. Make sure they’re secured during the workday with locking cables and secured in locked drawers or cabinets when leaving for the day.
- At the end of the day, nothing that contains any information should be left exposed. Lock up all physical calendars, day planners, notebooks and/or pads with notations, access cards, CDs, printouts, etc. Make sure everyone has lockable drawers and fix any broken ones immediately.
- Do not allow sticky notes with client, company, or personal information on monitors or other places on the employee’s desk.
- Make sure no one is “hiding” passwords under or in desk items (i.e. under desk calendars, in pen/pencil cups, etc.). Employees may think they’ve found the perfect hiding place, but even rookie thieves know where to look.
- The same goes for drawer and office keys. Do not hide them — take them with you or lock them up in a secure cabinet at the end of the day.
- All contracts, client folders, and other company documents should be locked up in file cabinets at the end of the day and the keys secured.
- Make sure no documents or copies are left in copy machines at the end of the day. Read our blog post titled “Your Digital Copier May Be Dangerous To Your Company’s Health”.
- All scrap papers containing client, confidential, company, and personal information should be shredded and not simply thrown into waste baskets. Thieves often go dumpster diving for data. Use micro-cut rather than strip-cut type shredders for better security.
Your policy should provide for documented, periodic “Clean Desk Inspections”. As with most policies, education is key. If you tell employees what you need done and more importantly why something needs to be done, they will respond. People really do respond in kind.
Clean Desk Policies are not only for larger businesses; even one-person companies will benefit. You’ve worked hard to build your company, don’t hand it over to criminals so easily. Take security seriously.