Clean desk policies may appear excessive, but our work desks are extensions of ourselves and we like to add some personal touches to them!
The problem occurs when your organisation loses control of its data. A password on a sticky note stuck to a monitor. A business plan mentioned where non-employees can hear. Customer data left on-screen in a public place. All of these things can give people outside your organisation access to information they shouldn’t have. Even a momentary oversight can result in significant repercussions, including potential legal ramifications.
So what exactly is a clean desk policy? Well, it’s not just about keeping your physical desk clear. While that certainly helps, it’s more about a state of mind. It’s about thinking about what people might see, and ensuring that sensitive data isn’t shown to people who don’t need to be looking at it. Sensitive data could be customer or patient information, intellectual property, or financial records.
We’ll be talking about things like:
- Who accesses your work areas.
- Keeping your physical work area clean.
- Keeping your digital work area clean.
- Looking at your work from home or remote work habits.
Access to your desk
The first line of defence is to decrease the number of people who can access your desk. In most workplaces, this is largely out of your control. Your employer will set security controls like doors and lifts that require you to swipe an ID to open.
However, there are ways that you can help. A common problem in swipe-secured workplaces, for example, is badge surfing. This happens when someone swipes to get into a work area – and someone walks in behind them without swiping their ID. This works because staff often want to do this! They forget their badge, or they don’t want to bother swiping or typing in a code when the door is already open. So refusing to allow someone behind you to come through on your swipe can feel rude and unsociable.
Although it might feel rude, challenge people you aren’t sure should be coming through into a secure area.
Physical clean desk
Think about who can see and take things from your desk. Customers? Clients? Family or friends of coworkers? Coworkers from different teams? Cleaning staff? People who water the plants? IT contractors? HVAC repair?
If you’re used to a somewhat private work area, you might not be used to thinking about this. It might feel as though team members are the only people who can access your desk. But in most organisations, this isn’t true. A variety of external people could be walking past every day – or night. Not all of those people should see sensitive data or login information.
So it’s important to keep in mind: what if someone who shouldn’t see this walks in?
Follow these principles:
- Don’t write down login details and leave them unattended. Use a password manager instead.
- If you print out documents that include sensitive information – for example, client application forms – ensure that they’re either kept with you at all times or locked away. When you no longer need the printed version, shred it before throwing it away.
- When working with sensitive data, be aware of who can see your monitor.
Digital clean desk
We’ve talked about your physical desk. What about your digital desktop? Who can access that, and what’s on it? Can someone borrow your laptop or mobile phone and look at sensitive files? If not, what’s stopping them? Can they take a drive from your device and gain access to files that way?
Follow these principles:
- Lock your devices whenever you’re not actively using them. If you don’t like constantly typing in passwords, consider using biometric security.
- If your workplace has a secure file server like Sharepoint, add any new documents with sensitive data to that environment. Check documents in and out using the proper protocols – they might be frustrating, but they can be the difference between a data breach and data safety.
- Use file encryption on your drive, so that someone can’t remove the data drive from your device without logging in and steal data.
- If you use an external drive as a backup, use file encryption and keep it in a secure location.
Work From Home clean desk
You can trust your friends and family, right? Well, hopefully. But just because you trust them doesn’t mean your employer should. Regardless, it isn’t always a matter of trust; some data should only be shared with people who need to know it. Besides, sometimes family members won’t be aware of which information needs to be kept secret and which they can talk about, and might inadvertently talk about sensitive topics. Think about your medical files. Would you want your doctor’s family and friends seeing those? They might be trustworthy; but they don’t need to know your private info.
If you work from home, think about your home work space. How do you keep sensitive data away from people who don’t need to see it?
Follow these principles:
- Use a lockable filing cabinet if you must print out sensitive documents. Lock it when you aren’t in the room.
- Keep the door closed when you’re discussing sensitive information.
- Blank your screen when other people are in the room.
Remote Work clean desk
Not all remote work is carried out at home. For example, a lot of people work from cafes when they’re ‘working remotely’ but don’t want to be stuck at home. Working in public places can help you feel less isolated, but it can also put company and customer data at risk.
If you frequently work in a coworking space, library, cafe, or other location where you don’t have control of the environment, you might run into problems like:
- Accessing public or unsecured wifi networks can give people access to your device and, through that, your system.
- People nearby can overhear video meetings in which intellectual property is shared.
- People nearby can see your screen, and read private or sensitive information.
- Leaving your laptop, mobile phone, or any peripherals alone can lead to data loss.
Think about how you can best protect the data you work with. You can’t always control your surroundings; you can control your actions.
Follow these principles:
- Talk to your employer about where you’re planning to work from.
- Use a wifi dongle or connect to your mobile phone’s hotspot. Both these options use mobile internet, which can be less reliable than an NBN land-based connection, but don’t rely on other people’s internet.
- If you must use public internet, connect using a VPN that encrypts your communications.
- Warn anyone you’re in a video conference with if there’s a chance you can be overheard.
- Pick a location that gives you the most privacy possible.
- Don’t work on sensitive data where your screen can be seen or recorded.
- Don’t leave your device unattended. Take it with you if you need to leave your table or desk.
A clean desk policy is essential for safeguarding sensitive data and preventing unauthorised access. Prioritising cybersecurity awareness training is key to effectively mitigate threats and protect your organisation. At PhishNet, we reduce the risk of a devastating cyber incident by training your people.
PhishNet trains people to recognise everyday scams and cyber threats through our Cyber Security Awareness Training platform. With clear measurable results, orgnaisations can meet compliance requirements and proactively reduce the risk of cyber incidents. Talk to us about how awareness training can help protect your people and business.