I was surprised (and somewhat smug) over the recent spate of people who should-know-better being caught by photographers holding sensitive documents in public display.
The reason for my smugness is that on a piece of work I’m doing, amongst other handling rules, I insisted on large A3 envelopes being issued to the project team, and the players in the project were referred to by codenames. All papers were to be carried within and stored behind lock and key, which caused much good-natured bickering within the team.
The documents are held electronically, behind dual-skinned firewalls, stored on laptops with full hard disk encryption, and subject to a robust patching and AV routine. It would take considerable effort to get at them.
However, there would be people in the building that would be very interested in seeing even just the front page. It was nothing particularly sensitive, just a key point in a commercial process.
It’s nice to be able to pin back why we preach good security against real-life examples, but we’re not all top police officers carrying documents of national security. Is the lesson still relevant?
I frequently take a train between Ipswich and London, there’s usually a high number of employees of a certain telco with me, beavering away on their laptops and mobiles. I’ve heard the status of bids, seen designs for customers networks and generally gained information that I would never have the technical skills to “hack”.
Security does not stop at the firewall. Much in the same way that people now break into houses to steal car keys because it’s too difficult to hotwire a car, if you are confident your IT infrastructure is secure you must think wider.