Imagine discovering a stray USB stick on a busy London street. Would you assume it contained nothing of interest? Or would curiosity get the better of you?
This is exactly what happened to one inquisitive Londoner recently. Upon checking the unencrypted USB-stick at nearby library, the man was flabbergasted to find that it contained more than seventy files, each one housing highly sensitive Heathrow security data. From the route the Queen takes to the airport, to a map detailing underground tunnels and escape routes, to the locations of every CCTV camera in the building – the most intimate security details and practices of Heathrow lay completely unprotected and out in the open for anyone to find on the street.
It seems strange, in amongst the (seemingly daily) reports of cyber-attacks and hacking/phishing scams conducted over the internet, to imagine digital information being physically misplaced; but it happens in more ways than you think. A colleague could misplace their work telephone whilst travelling, or leave a bag behind with an unencrypted laptop inside. Drawers containing confidential documents are left unlocked overnight, and USBs from unfamiliar persons/companies used without security scans. Even something as simple as discarding documents into general waste rather than shredding them could unwittingly breach security protocol and devastate the credibility of the entire organisation.
As Geogg Webb, VP at Micro Focus, notes:
'It's definitely not the first time that a lost USB stick has turned up with sensitive information on it. The fact that it was unencrypted is obviously the concern – many organisations have clear policies in place to ensure that information is encrypted wherever it is stored, including on removable media. More broadly, the ability to quickly copy and move very large amounts of data means that encryption will increasingly need to be a standard part of business risk management strategy in order to control access to sensitive information like this.'
The USB was handed into the Sunday Mirror newspaper and eventually passed on to relevant authorities whilst Heathrow launched an internal investigation into matter (still ongoing). However, this case and many like it make for a sombre reminder of the importance of continued security and awareness training when it comes to fostering a compliance culture. Our advice is always to familiarise your employees with the types of breaches and cyber-attacks they could encounter, and to reinforce and refresh this training regularly.
For more information on the Cyber Security and Information Security eLearning courses we offer, please visit our compliance page.