Privacy and Security Lost And Found

Today I’ve been participating in a very interesting discussion on the Security Catalyst Community about a very interesting project that Scott Wright is doing with Honey Sticks at his site.
Part of the discussion led to the possibility that one of the Honey Sticks that Scott had planted in a hotel, and had been “activated,” may have been turned in to the hotel’s lost and found.

The lost and found considerations reminded me of the March, 2006 article I wrote for the CSI Alert, “Lexus Laptop Lockers.” Here’s the relevant excerpt…
>”I did a little experiment a month or so ago. While at the movie theater I asked if they had a lost and found. Without so much as a blink or question about what I lost, the helpful employee reached under the counter and set it in front of me. Inside, along with mittens and gloves, was a Blackberry, a couple of cell phones, a Swissbit with USB drive, and another type of portable computing device I had not seen before. “If you see what’s yours, take it.” No, I took nothing, but it was interesting to see how easily I could have.”

{I’ll post the full article on my site sometime in the next several days.}
I love doing these little human experiments, and I’ve done similar lost and found experiments at grocery stores, bookstores and restaurants. Each time the staff helping me were more than happy to show me their lost and found box and let me take whatever I told them was mine, no questions asked.
Which got me to thinking about any type of organization’s lost and found policies…
What is your organization’s lost and found policy?
What would your organization do if someone turned in a laptop, cell phone, USB drive, or any other type of computer or storage device? Would the Information Security area be notified?
Have you worked with the area that handles lost and found…typically in the Facilities Management area, but sometimes the Physical Security area…to establish tighter controls around computers and electronic storage devices?
What would happen if someone went to your organization’s lost and found, said they lost something, and wanted to look through the lost and found box to find it? Would the folks set the box in front of them to look through and take whatever they wanted?
Or, if the folks asked the person what they lost, and the person said something vague like, “my computer,” “my data storage device,” or something similar, would the folks give them any of the objects that came close to that description?
Just think about the types of information that could be walking our your door via your lost and found box…and lack of proper policies and/or procedures.
Do an experiment; go to your lost and found area and ask this similar question. Or, if the folks there know you, get someone they don’t know to go ask the question. What do they do?
You could find a way in which information is walking out your door…security lost and…and later privacy breaches found…probably by somebody outside your organization!

Tags: , , , , , , , , , , ,

Leave a Reply