“Factors that made a noticeable difference in the amount of information collected were clean desk policies, standardized document shredding policies, suspicious reporting processes, and mandatory training and awareness.”
By Maria Korolov, CSO online
Researchers were able to get sensitive corporate information just by looking around corporate offices in 88 percent of attempts, according to a new study.
Michigan based Ponemon Institute sent researchers to 43 offices belonging to seven large corporations who had previously agreed to participate in benchmarking research. The researchers had valid identification as temporary employees, and management knew they were coming — though the office staff did not.
The researchers spent up to two hours in each office, wandering around, taking pictures of computer screens, and picking up documents marked “confidential” and putting them in their bags — all deliberately within full view of the regular employees.
In the vast majority of the cases, the regular office staff did not ask any questions or confront the researcher in any way.
Even when the researcher pulled up an Excel spreadsheet on a computer and took a picture of it with their cellphone, most workers did not react.
“We expected to see someone say, ‘Hey, what are you doing here?’ at that point,” said Larry Ponemon, chairman and founder of the institute.
But out of 43 trials, the researcher was confronted by a company employee only seven times when taking pictures of the screen, only four times when it looked like they were stealing confidential documents, and only twice when wandering around looking at things on people’s desks, computer monitors, and at printers, copiers and fax machines.
And there was only one case where the strange behavior was actually reported to management.
Information collected include staff directories, customer information, financial data, access and login credentials and confidential documents.
Factors that made a noticeable difference in the amount of information collected were clean desk policies, standardized document shredding policies, suspicious reporting processes, and mandatory training and awareness.
Ponemon admitted that the researchers had more time in the office than a criminal there under false presence might have.
However, he added that in about half of the offices, the first piece of sensitive information was spotted within the first 15 minutes.
In addition, depending on the pretense, a hacker might have more time in the office — and a malicious insider would have all the time in the world.