There have been a lot online posts and talk lately about risk management and the “proper” or “acceptable” way to do risk assessments. It seems that the overwhelming talk, though, is only about the right and wrong way to do a risk assessment whenever considering a risk management program. Certainly, using the best risk assessment method to fit your business environment is very important; one size, and one method, does not fit all! However, there are so many more activities necessary within a risk management program than just occasionally doing a risk assessment. Regulatory agencies are starting to emphasize this as well, by stressing the need to have ongoing monitoring, auditing, peer review and a wide range of other risk detection and mitigation activities within the risk management program.
Also consider that the recently released Ponemon “Third Annual Benchmark Study on Patient Privacy & Data Security” found that 94% of the participants in their study experienced more than one data breach past two years. Many (and perhaps most) of those breaches probably could have been prevented with a comprehensive risk management program consisting of ongoing risk mitigation activities, and not just performing a risk assessment one every year or two.
One of the most effective risk mitigation activities I’ve done, since the first one I performed in 1990, is an after-hours work area walkthrough. All businesses, of all sizes and in all industries, will benefit greatly from doing these. They are simple to do (especially compared to a doing a comprehensive risk assessment), they are pragmatic, and they can reveal significant threats and vulnerabilities that can then be quickly and completely removed by taking some immediate actions that do not require anything more than having the appropriate personnel take actions that improve their work habits. I write in depth about how to do these in some of my books, and I’ve blogged about it a few years ago, but the time has come to revisit this important task that should be part of any business’s risk management program.
After-hours work area walkthroughs
Doing after-hours walkthroughs are a great way for all organizations to get out where their personnel work and see what kinds of risks exist to information when no one is around. They can usually be done during the work-week within specific business areas in around two to four hours. Partnering with the physical security department and having them come along increases the time investment value and security value greatly by not only having physical security risks identified at the same time, but also giving the information security folks a chance to raise information security awareness for the physical security folks and vice versa.
What are the information security and privacy vulnerabilities you are likely to see? The possibilities are endless! Here are eighteen common vulnerabilities, in no particular order, to get you started in thinking about the possibilities. Add to this list and create a walkthrough checklist based upon it to log what you find.
1) Mobile computing devices left unattended and unsecured
Growing numbers of workers in all types of businesses are using mobile computing devices when performing their work activities. For example, some of the hospitals and clinics I do work for have most of their staff using laptops, smartphones and tablet computers when they are with their patients. When doing my own casual work time walk through in these organizations I’ve found far too many of these devices just sitting on tables and desks with no one around. In one small organization I found five table computers, none of them were locked, and they all had patient information displayed. It’s interesting how mobile computers have a tendency to walk away “on their own” if they are left unattended and unsecured. These devices are irresistible to thieves and others who simply see an opportunity to get a cool new tech toy that might also have some juicy, and valuable, patient information on it. Significant breaches can occur when these mobile devices are left lying around. Especially in organizations that have a lot of non-workers, such as patients, visitors, shoppers, and others, in the area. Mobile computers are reported stolen or lost every day, and those reports represent just a small fraction of the actual losses.
2) Computers logged into the network and unlocked
There inevitably are computers found that are still logged into the network and that have not been secured, with no-one around. Don’t let the presence of a screensaver fool you. Move the mouse or touch the mouse pad and see if the computer is still logged into the network. Just think about all the things a malicious person could do through the authorized access of your IT administrators, your HR workers, your accounting department personnel, your information security staff (yes, numerous times information security personnel themselves leave huge vulnerabilities in their work areas), and other folks with access to sensitive information.
3) Passwords written and easily discovered
It seems passwords have been written on sticky notes since the introduction of Post-its in 1968. You will often find computer passwords on notes stuck to the computer monitor, under the keyboard, on the desk calendar, on the overhead bin, and under tissue boxes. You will find voice mail passwords on notes stuck under the phone, etched into the phone handset, and also nicely labeled under the keyboard. I’ve found many password tokens with the PIN number written on, and even scratched into, the token itself.
4) Negotiable checks out in open
If you work in an organization that receives payments from your customers, look in the accounts receivable and accounting areas for checks lying out in the open for anyone to pick up and walk away with. There is an amazingly large amount of information on checks that can be used to commit identity theft and other types of fraud. Probably one of the most egregious cases I found was when in an otherwise amazingly clean and tidy desk area that processed real estate payments. There was a very tidy stack of negotiable checks stacked neatly on the keyboard propped against the monitor. This was a commercial real estate mortgage office, and the checks, around 30 of them, were all for tens of thousands, and a few for hundreds of thousands, of dollars each. The employee explained she did this every night before she left so that she could get a “quick start” on processing the checks first thing in the morning. In her efforts to be as efficient as possible, she put the checks, and the information on them, at risk.
5) Papers containing sensitive information on desktops
It is amazing the amount of sensitive printed information that is left out in the open on top of desks. Much contains customer information as well as employee information. One of the worst cases I found was within a director’s office. He had, in very neat stacks on his long desktop, all his direct reports’ personnel files lying in front of their corresponding “Confidential” envelopes. The employees’ entire payment history, managers’ notes, beneficiary information, social security numbers, and all other information, available for anyone to see who would walk into the office, which had the door wide open.
6) Unapproved network connections
At one of my clients, one of the server administrators in a business unit with many different business partners did not like to be slowed down by rules and was always agitated when told to follow the procedures. He always wanted to set up connections to his networked server from the other companies himself. “I could easily set the connections up myself,” he would say. Turns out, this admin knew that network cables ran in the ceilings above the dropped ceiling panels. Apparently, sometime when no one was around, he had removed the panels above his cubicle and examined the wiring long enough to identify where to patch in a cable, from a modem that was on his desk, to his server. The cable ran up the wall, and was hidden by a tall voluminous fern, which we discovered during one of our after-hours reviews. Look for suspicious connections to computer equipment and wiring.
7) Unapproved software
There have been numerous times when I have found software boxes, DVDs, CDs and diskettes in personnel work areas that had been brought in and installed on employee computers, and even on the network, without approval. Some of the more clever folks had installed the software for the time period they want to use the application, and then uninstall the software in an attempt to thwart the corporate software inventory tool. If they are using the software to create business materials or products this could put your organization into jeopardy of licensing noncompliance. And then there are the malicious code risks. Look for boxed software packages in addition to CDs and diskettes out in the area. Oftentimes you will find the CDs and diskettes clearly labeled with the application name.
8) Unapproved access points
Believe it or not, modems are still being used to circumvent access into and out of the network. I’ve found several instances of employees who used splitters, widely available in electronics stores, to allow their phone lines to also be used on their computers. Note any external modems in the areas, or if you see phone cables hooked into the computers. Look for signs of wireless installations as well. You can easily find active wireless access points by taking a computer, such as a wireless-enabled iPad, with you while you are doing the walkthrough. It can show you as soon as an active wireless access point is nearby.
9) Sensitive information in trashcans
Look in your personnel’s trashcans and in the big trashcans for the department. What type of papers and other items are there? Just as throwing food into trashcans attracts roaches and rats, throwing away sensitive information attracts dumpster divers and criminals. It also attracts people who want to retrieve the papers to use for scratch paper within their schools, churches and clubs, which has resulted in privacy breaches many times.
10) Sensitive information in mail slots
Don’t forget to look in the mail slots for each area to see if there is blatantly sensitive information available for the taking. It is very easy for someone to take information from the mail slots and make a copy of it at the usually nearby copy machine, and then put the information back into the mail slots. The intended recipient will never know that copies were made and could now be in the wrong hands.
11) Sensitive information in printers, copiers and fax machines
People often forget to take their originals from the copy machines, or leave some copies in the tray. Even more often, people print email messages or reports with sensitive information, get sidetracked, and then forget to go get the printouts. People often send sensitive information within faxes to others without notifying them, leaving the physical fax machines holding confidential information for anyone passing by to pick up.
12) Keys in desks and filing cabinets
It is very common to find keys sticking out of the key locks in desk drawers and filing cabinets. When they turn up missing people usually don’t give it a second thought, thinking they have misplaced the keys, and end up getting copies made. Meanwhile others may have those keys to use when others are not around.
13) Open doors
I have found many doors to stairwells propped open with trashcans and boxes. While I was in a location in the information security area on the 16th floor of the downtown city building there came a woman through the stairway door with her three small children in tow. She saw me and the others in the nearby office talking, came over and asked us how to get to the downtown Walgreens. These were unauthorized folks who easily got into a restricted area. I have found doors to computer operations rooms held open with broomsticks and umbrellas. Usually people have propped them open with every intent of closing the door after they have carried something through, but it is very easy to get sidetracked once crossing through the doorway, leaving the door open for anyone in the area to walk through.
14) Mobile storage devices unsecured
There are so many types of data storage devices out there. It is easy to copy many megabytes of sensitive data onto any number of them and then carelessly leave them out in the open. Most of the data on these devices is not encrypted. Look for USB storage devices, in all shapes and sizes, along with DVDs, CDs, diskettes and even MP3 players and smartcards.
15) Confidential information in meeting rooms
White boards and flip charts are commonly used within meeting rooms to discuss plans and make decisions. When the meeting is over and another group is waiting to get into the room for the next meeting, everyone often jumps up and leaves without erasing the white boards or tearing off the flip chart pages. I have found information such as disaster recovery team member contact information, data flow diagrams and corporate plans that would be very valuable to competitors.
16) Outdoor trash bins with confidential information
You would think after years of talking about the prevalence of dumpster diving that people would not be throwing sensitive information into outdoor trash bins anymore. However, it seems to happen daily. Look in trash cans to see if personal information, or other kinds of information, are inside.
17) Unlocked storage rooms
Almost every time I do an after-hours walkthrough I find unlocked storage rooms with printer-paper sized boxes, usually very clearly labeled with the type of information within them, on shelves. Often they are customer account information or employee information archived into the boxes and into the unsecured room. Tons of personal information, all in one easy-to-carry box for someone who would like to use the information for criminal purposes, or sell it to lots of other criminals for a nice profit.
18) Unsecured mailrooms
Medium to large sized organizations often have their own mail areas with staff dedicated to processing the mail. Think about the huge amount of confidential information that is sent through postal letters, packages, UPS, FedEx, DHL and other delivery services. Unsecured mailrooms allow for confidential and sensitive information to be taken, often without the recipients even knowing they were sent. Unaccounted for stolen mail can easily end up being the root of untraceable and unsolvable crimes and frauds.
What do you do with the identified risks?
Keeping track of the vulnerabilities and threats found on an ongoing basis is very valuable. You can use the numbers of security and privacy problems found during your walk-throughs to show risk trends and validate security program efforts. You should also use this information to identify where more training and increased awareness communications are necessary.
Here is an action plan to follow for incorporating work area walk-throughs within your risk management program:
- Following each walkthrough write a report summarizing the results, along with what needs to be done to reduce the identified vulnerabilities and threats. Include your metrics to show how each specific area has improved, or worsened, since the previous walkthroughs.
- Include copies of all the detailed log charts you created during the walkthrough with the report for the area’s manager so he or she can address specific vulnerabilities with specified individuals. These results can also be incorporated into the annual performance appraisal.
- Consider publishing a yearly summary of the results of the walkthroughs to your board of directors and all your staff. This will demonstrate just one of the proactive ways that you are trying to protect the organization’s information assets.
An important point…
It is important to have executive leadership support for these walkthroughs. Do not try to perform them without speaking to your CEO; you could end up with some very angry middle management complaining to the CEO that they were blindsided. It is best to ask your CEO to issue a memo to all managers talking about the walkthroughs at a high level, and how they are being done to help improve information security and privacy practices. The memo should state that the walkthroughs will be done periodically within the business units, but it is usually best to not specify the exact dates. This way you will be able to see how the areas really look on an ongoing basis.
Bottom line for all organizations, from the largest to the smallest: Doing risk assessments are important for all organizations to appropriately identify security and privacy problems, in addition to meeting compliance requirements. However, other activities must be done on an ongoing basis within the risk management process to not only meet a wide range of compliance and other legal requirements, but also to truly mitigate risks and successfully prevent as many security incidents and privacy breaches as possible. Including work area walk-throughs into the risk management process is a valuable, simple and highly effective activity to include within your risk management activities.
Additional information about risk management
Additional information can be found here:
- I provide all the instructions and forms for doing a walk-through (after-hours or during working hours) within my Compliance Helper service
- NIST Special Publication 800-30: “Risk Management Guide for Information Technology Systems Recommendations of the National Institute of Standards and Technology“
- ISACA Risk IT Framework for Management of IT Related Business Risks
- FFIEC Risk Management of E-Banking Activities
- NIST ITL October 2011: “Continuous Monitoring of Information Security: An Essential Component of Risk Management“
- NIST SP 800-39: “Managing Information Security Risk: Organization, Mission, and Information System View“
- NIST SP 800-37 Rev. 1: “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach“
- NIST ITL October 2012: “Conducting Information Security-Related Risk Assessments: Updated Guidelines For Comprehensive Risk Management Programs“
This post was written as part of the IBM for Midsize Business (http://goo.gl/S6P7m) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.
Tags: audit, awareness, breach, compliance, customers, data protection, e-mail, electronic mail, email, employees, employment, facebook, fake IDs, hiring, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, messaging, midmarket, non-compliance, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, risk, risk assessment, risk management, security, sensitive personal information, social media, social networking, SPI, systems security, test data, training, twitter, walk through