The whole topic area of information security is also emphasised by current legislation and Codes of Practice whereby, for example, EN 17779 (BS 7779) dictates an information management requirement that focuses entirely on data security.
Whatever happened, though, to the threats posed to information security that existed before we all turned on our computers? Have all of the old commercial spies retired? Has bin searching – otherwise known as 'dumpster diving' to some – ceased to occur?
Have we finally reached the stage of the paper-less business environment, at least as far as sensitive information is concerned?
Nowadays, we hear of rare cases where a bundle of files is found on a tip, or where allegations are made that Court case-related documents were found in a skip, but generally speaking the 'gurus' seem to be silent on risks posed to hard copy information – be it in the form of paper, microfilm or photograph, etc.
Of course we all still live and work in a paper-intensive environment, with computer print-outs adding to the many other documents that are still produced. Unfortunately, while the majority of businesses and organisations are now alert to the consequences of hacking, their attitude – or rather the employees' attitudes – towards basic information (document) security hasn't improved.
So are documents still a target for industrial espionage? Can their compromise bring harm to the company? The answers are fairly obvious but, to bring the need for document security into focus, there are several factors to consider.
Prior knowledge is power
Early information on activities that affect share prices opens up opportunities for profitable share trading (or 'dumping') before values drop. That early information could include snippets of news on planned acquisitions, major contract awards, company results (either quarterly or year end, for example), new product launches, changes in marketing strategy and moves by key individuals.
Prior knowledge of contract budget information or leakage of other tender values could offer an advantage to those bidding for the contract. Similarly, advance knowledge of poor company performance or planned redundancies could lead to crippling action being taken against an organisation by its employees or shareholders. Equally, information that shows the company in a bad light may be used to damage its image, reputation and/or credibility. This then allows competitors to gain market advantage, or an individual to exact revenge against real or perceived grievances.
In the latter case, the information gained may equally be used to target an individual rather than an organisation, although the two often happen together.
Thus far, the Data Protection Act 1998 has proven to be the best tool that has appeared in the fight for the protection of information in that, at last, there are penalties that can be applied against individuals who fail to protect information. Although this is only applicable to 'personal information', it has started to make managers and information custodians take notice and apply some protective steps. Alas, it will probably require a high profile Court case and a stiff sentence before it becomes universally applied.
At the present time, many of the staff members we encounter "have heard of the Act" but don't really believe it applies to them, and while they protect their data (in the network), paper documentation is handled no differently to how it was in days gone by.
Many organisations have, of course, enforced the Act with the seriousness it merits, and have implemented sound personal information policies and practices to the degree where both data and hard copy information is at once protected and safely handled. In a small percentage of these organisations, the policy and handling requirements are also extended to sensitive information that isn't 'personal' (ie company-sensitive information), but from our experience they appear to be in a minority.
One should condition that statement – there are many managers and individuals in these organisations/businesses who are really trying to make sensitive information policies and procedures work, but with mixed degrees of success. Of course, in this area one would exclude the Government and defence organisations where classified document handling procedures have been established and regulated for many years now.
Regrettably, many organisations continue to face enormous vulnerability with the potential for serious compromise and the subsequent consequences. Is this caused by a lack of awareness of the threat, apathy, a false sense of security or a resistance to change? It's driven by a combination of all these possibilities.
The compromise of information
In many cases, Boards of Directors consider that they have security in place in as much as their buildings are controlled against unauthorised entry, staff are vetted, separate bins are provided for sensitive material and there are contracts in place with 'confidential waste disposal organisations'. Do the security team members in such an organisation really need to do any more? Does this level of security afford sufficient protection to information?
The compromise of information, even theft or deliberate espionage, is more likely to be carried out by someone who's legitimately inside the premises. Where access control helps to keep out the external or 'freelance' spy, any internal lack of control by a document owner still leaves vulnerabilities.
In this day and age many organisations have outsourced some or all of their non-core functions, and thus the selection and vetting of staff is now beyond their control.
While the service providers (or 'partners') may present pledges or even written statements of selection/vetting, their standards may be well below those that your own organisation would apply. This is of particular concern in the services that suffer from high staff turnover. Combine this with staff attitudes – whereby they come to view most long-term contract or agency staff in the same way as other employers – and the potential vulnerability increases.
Often, such individuals are in the type of employment where we abandon our premises to them on a daily basis, leaving contract cleaning, maintenance and catering personnel under the watchful eyes of our contracted security force – with not a company employee in site! Think of the penetration of one of the major telephone companies by a reporter using the agency staff route. What about reporters airside after joining cleaning companies or security firms? The potential for planned penetration becomes only too apparent.
Add to this the possible financial motivation for information theft that could well attract lowly paid members of staff and the possibility of specifically targeted espionage assumes an even higher significance.
Can we learn from case histories?
Unfortunately, there's a dearth of public knowledge case histories out there that would allow us to demonstrate this vulnerability to senior management. In most instances, the knowledge of such an incident will be kept in-house to reduce its impact. The internal 'spy' can usually be defeated by good internal document security controls, but these require the management and employees of the company to buy-in to the programme. If the 'spy' cannot access the document(s) then no espionage will occur.
To achieve such a condition of operation, the end user will need to ensure that a number of measures are put in place. First, it needs to be appreciated by all in the organisation that protecting sensitive information is a positive action requiring effort and resources. It would be nice to be able to class all information as 'sensitive' and apply all of the protective measures available to it, but the reality of the situation is that too much time would be required (even in just tracking each document through its lifecycle). Ultimately, there's a definite need to define what is truly sensitive to the organisation, restricting this to a manageable minimum. It's suggested that the criteria for sensitivity should be against the degree of damage that any compromise or inadvertent disclosure would cause.
Ultimately, it's likely that only three categories of sensitivity would emerge:
- company secret: where compromise would seriously affect the ability of the business to continue operating (whether through financial impact or loss of reputation);
- company confidential: where compromise would cause serious financial losses (in the context of the business, this figure would vary depending upon the value and/or assets of the business as a whole);
- personal in confidence: all information that relates to personnel, and is subject to the Data Protection Act 1998.
Obviously, information protected by existing legislation (eg patents and copyrights, etc) would have some protection – or at least deterrent against compromise – but other documents would then fall under the protection afforded to 'proprietary information'. Much of that information would be considered to require no protection beyond being retained in the building, or to be adequately disposed of.
Once the grading has been accepted on the basis of content, effective control of sensitive information becomes less time consuming and has a chance of actually being applied. Such information demands to be marked with a sensitivity grading throughout its lifecycle, from first draft to final copy, and then be subject to recorded and auditable (tracked) distribution to only those with the business 'Need to Know'.
Many networked copiers/printers retain the last document or documents produced. Some organisations with more rigid security procedures have implemented a policy whereby a clear screen is ‘printed’ after the run, thus overwriting the last document
The right of access to information by rank needs to be barred. If certain members of staff aren't involved, they don't need to know.
'Need to Hold' as a principle
A 'Need to Hold' principle has to be applied, both to keep volumes of information down to manageable levels and to ensure that such information is only held where it can be protected. If a person only needs sight of a document then they don't receive their own copy. They view and sign off on a central copy.
When a document is no longer needed it's destroyed. Destruction by an approved, secure method is vital. There must also be a record made so that 'lost' documents may be highlighted. For truly effective control, documents should be returned to the originator for subsequent destruction.
The method of document destruction must also be addressed by the end user organisation's security team. We often find high profile organisations relying on shredders that are able to cut documents into full-length, 0.5 cm strips – presenting a not-too-difficult task of re-assembly.
The principle of shredding sensitive material within a secure handling area is sound, but shredding should be cross-cut and of no more than 0.2 cm in width. Even then, the shredded material must be treated as sensitive until it's totally destroyed for good.
The latter process is often – and can safely be – contracted out to specialist companies, but these firms should never be taken at face value. Even where such an outfit is listed as a BSIA-registered information destruction (ID) company, their facilities and operation must be subject to a full assessment before you procure their services. It's only by doing so that you'll gain assurances that the certificate of destruction they give you is a true record of what happened to your information.
The audit – both pre-contract and periodically thereafter – should include the logging and tracking of your waste bags/containers, their transport, unloading, storage, sorting and final destruction. It's essential that your material is stored and handled under secure conditions at all times until it's destroyed, and that a full audit trail of every bag is maintained. We still come across cases where 'classified waste' is recorded as a bulk collection from sites and not even the number of bags involved is recorded.
While all of the ID companies are considered to be adequate under the Data Protection Act 1998's requirements, it's strongly recommended that 'raw' secret or confidential company information is rendered unreadable before it leaves your premises. In most cases, the recommendation is that you employ a cross-cut shredder.
Location, location, location
All of the locations where sensitive information is handled need to be provided with adequate privacy and security. Just as we're required by the Data Protection Act to prevent the oversight of personal information on screen, so security professionals must also prevent unauthorised access to sensitive information.
Thus we need to ensure that persons receiving and holding sensitive documents are afforded privacy, and also have the physical storage away from prying eyes when the holder isn't present.
For example, contractors repairing PCs might have sight of a neighbouring office worker's PC. How do you avoid them having sight of a personal document while it's being worked on? And what about those occasions when all of the staff go for lunch, or into a team meeting? Does everybody ensure that all data is secured beforehand, and that access to a given area will be controlled in their absence? Sometimes the security polices you'd like to put in place might not be so practical.
If a document is left exposed it's less likely to be taken as this would be noticed and allow mitigating action. It will be read or, more likely, copied. The ability to copy documents must therefore be brought under control. Photocopiers pose particular risks, and even if PIN-operated this will not stop an already-authorised user from making copies.
Many networked copiers/printers retain the last document or documents produced, allowing a print to be made after the official copies have been printed. Some organisations with more rigid procedures have implemented a policy whereby a clear screen is 'printed' after the run, thus overwriting the last document. For most companies, this would be too costly and impractical a policy, and it would depend on the cache facilities of the printers in question as to how beneficial it would actually be.
In-house security managers must also remember that fax machines can both transmit a copy off-site (not too much of an issue if the machine in question prints transmission information on the originals) and be used as a photocopier. If they're located anywhere near sensitive information handling areas then fax machines need to be secured with power – and preferably PIN – controls.
Staff compliance is vital
Unfortunately, even where management support results in mandatory sensitive document procedures, the nature of many staff members is such that there will always be those who don't comply. Your security system therefore needs to include the means to detect violations and educate transgressors. This really means physically checking that sensitive information isn't left exposed or vulnerable, and that transgressors are duly highlighted for management action.
You'll find that the inspection process here can be greatly eased by operating a clear desk policy, but such a policy means different things to different firms. In some, it means that, literally, all desks are fully cleared when the 'owner' is out of the office (including during meetings, lunch and break times, as well as outside normal working hours).
In more and more cases these days we find that 'clear desk' means staff are only required to lock away sensitive material, and thus work areas tend to include desks bearing massive piles of 'unclassified' documents, magazines/journals, computer print-outs and so on. It's then not an easy task to determine there's no sensitive information either buried in the piles of paper or, as is also common, sitting in/on a desk but bearing no sensitivity marking. Ever heard the cry: "Everybody knows that everything I write is secret"?
Information Vulnerability Audits
We conduct Information Vulnerability Audits for a number of clients as part of their overall programmes of information and communications security. While some programmes are effective and well-supported, other audits continually discover highly sensitive documents left in full view.
The successful clear desk programmes are almost invariably those that contain some form of censure/penalty for transgression. Again, an area in which you'll require some serious Board level support. Thus it's not just a question of writing a policy. It's also very much a question of enforcement. Enforcement means that you need to have a management support process of checking/auditing – and a penalty system.
Various organisations use different methods here. A few have included compliance with security requirements in the terms and conditions of their employment contracts, and reflect staff performance in their appraisals. Others use the embarrassment factor of naming and shaming individuals.
In some cases, where sufficient resources are available, the items have been confiscated and have to be collected from security staff or another designated and centralised point. Care is needed with a confiscation programme. If there's no report or penalty and no management involvement, many employees will start to use the system as an effortless desk cleaning service. If you do confiscate, then make sure you have the offender's manager waste precious time in collecting the items.
Source
SMT
Postscript
John Julian is a senior consultant with IJA, the specialist security and risk management consultancy (www.ija.co.uk)
No comments yet