IT Baseline Protection Manual T 3.44 Carelessness in handling information
T 3.44 Carelessness in handling information
It is frequently observed that although a number of organisational or technical security procedures are in place, these are undermined through careless handling of the technology. A typical example of this is the almost proverbial sticker on the monitor which contains a list of all the access passwords. Abundant other examples of carelessness, dereliction of duty or recklessness in handling information that needs to be kept secure are also to be found.
Examples:
Employees often divulge confidential information about their company over mobile phones on trains or in restaurants. This information is not only heard by the person the other end but also by everyone around. Examples of particularly interesting internal information divulged in this way include
why a contract with another company was lost or
how many millions planning errors in the strategy department have cost and how this could depress the share price of the company if anyone were to find out about it.
Often it is necessary during business trips to take a notebook, an organiser or data storage media along with one. During breaks, these are gaily left behind in the meeting room, the train compartment or the car. The data stored on these mobile IT systems is often not backed up anywhere else. If the IT system is then stolen, the data is lost for ever. In addition, a thief may be able to make good money from the sale of potentially explosive data that he has been able to access easily due to lack of encryption or access protection.
One reason for taking a notebook or files on business trips is to be able to make productive use of travelling time. This practice often provides fellow travellers with interesting insights, as it is virtually impossible on a train or aircraft to prevent a person in the next seat from also being able to read the documents or the screen.
Premises which are open to the public, e.g. hotel foyers, hotel business centres or train compartments, generally provide little in the way of privacy protection. If the user enters passwords or has to make changes to the configuration, an adversary could acquire this information and misuse it.
Articles appear at regular intervals in the press about public bodies and companies whose dustbins in the rear yard contain highly explosive documents. For example, pay information for all the employees in one company and the ex-directory phone numbers of a company's board of directors have become public knowledge by this means.
When IT systems develop faults, they are sent quickly for repair. Often once a system has developed a fault it is no longer possible to delete data that is stored on it. When a failure occurs the top priority is usually to have a working machine again as soon as possible. For this reason, many specialist suppliers offer a special customer service which involves simply exchanging defective components and sending customers home with a system that works.
However, there have been a number of cases where such dealers were able to resolve the problem quite quickly during subsequent examination and the next customer was then generously given the now repaired machine - including all the data belonging to the original customer.