Many business owners are surprised to learn that information security breaches are most often an internal occurrence. This was the case with online retailer Showpo, after a former employee allegedly supplied competitor, Black Swallow, with their entire customer database. These 5 office habits will help your business to minimise the risk of potential information security breaches.

1. Keep Printed Documents Concealed

Is highly confidential documentation being left at the company printer? Staff who do not have official access to certain materials should not be able to obtain them in any capacity. In an office environment, we tend to pay more attention to network permissions. However, hard copy documents are often left at the printer, on desks, and in boardrooms, leaving confidential documents accessible to visitors, contractors, and cleaning staff.

Despite this, just 23% of Australian SMEs have a formal Clean Desk Policy in place.

Sensitive paperwork should be cleared at the end of the day, or when leaving your desk unattended for an extended period of time such as lunch breaks and meetings.

2. Restrict or Control Use of Removable Media

Removable media such as flash devices (memory sticks or USB sticks) and removable hard disk drives, as well as technologies such as PDAs, digital cameras, smartphones, Bluetooth devices, and MP3 music players, pose potential security threats to a company in an office setting.

Portable devices possess the ability to transfer information quickly, and can now hold enormous amount of data. The transferability of the media means users are able to remove corporate information quickly, and with a minimised chance of detection. Due to the size of most removable devices, the chances of losing them, or having them stolen are high. This may cause potential issues or liability if the organisation breaches privacy legislation. The devices can carry viruses, malware, and improper content, leading to disruption and public embarrassment. Companies can monitor the use of removable media, and create policies and procedures for the management, training, and security of portable devices. Identify which information is particularly sensitive, confidential or private and inform employees of the required standard of security measures needed when accessing this content.

Employees should be trained and fully aware of the risks associated with removeable media, especially considering that one Google study found almost half of people plug in USB drives they find in the parking lot. Researches scattered 297 USB drives around a university campus in Illinois, finding 48% of them were plugged into devices when found.

3. Spread Awareness About Phishing and Encourage Caution

Phishers exploit employees to gain access to all kinds of internal data, including passwords, confidential material, and even facility access. Phishers imitate legitimate companies that your employees do business with, like vendors, providers, and other services, and try to acquire information through email or over the phone. If your staff don’t know how to recognise them, your company’s defenses are falling short. Preventing breaches like these involves providing security training to all employees on how to identify phishing, and what to do during and after an interaction with a possible phisher. 

4. Implement an Information Security Management System Compliant With ISO 27001

ISO 27001, the international standard for information security management systems, is critical in protecting your business against data loss. At Compliance Council, our ISO 27001 consultants assist companies to achieve compliance with the ISO 27001 standard so they may manage their data effectively.

5. Train Staff On Security Responsibilities and Have All Staff Sign Confidentiality Agreements

Essential services such as technicians, cleaners, and maintenance staff must have restricted access to information. This is not always possible within the office, however, which is why systems are put in place to minimise risk. All staff, as well as freelancers, and services staff who are irregularly or consistently on site, should all have signed confidentiality agreements from the get go. Staff should understand consequences and liabilities that come with the mis-sharing of company data.