We put security guards in our office buildings at night, restrict access to our company files, and even screen job applicants, yet when it comes to many of our most common office practices, we leave our doors wide open to information criminals.
The following are seven common — yet preventable — practices that could expose you, your business, and even your customers to risk and victimization by information crime, as well as some strategies for avoiding these risks.
1. DISPOSING OF UNNEEDED OFFICE COMPUTERS
RISK: Upgrading to new PCs in your office? When you get rid of the old computers, how do you ensure no information is left on the hard drives? Deleting files on hard drives and storable media isn’t enough to prevent someone else from recovering that information. Even reformatting a hard drive isn’t enough. Some companies offer “degaussing” services to wipe out data, but some experts think even that isn’t enough. Your private business data, credit card information, and confidential client information could be exposed. Even giving a computer away to a friend, another business, or a charity can be risky — you never know who will have access to residual information on your old hard drives once they leave your offices. Companies should also destroy other devices that contain sensitive data, such as PDAs (e.g. Palm Pilots), memory sticks, SD cards, CDs, DVDs, and other magnetic media and storage devices.
PREVENTION: You could take a sledgehammer to each of your outdated computers, but that might not look very good when you’re wearing a suit and tie. The safest way is to contact a shredding service that shreds not only paper products but also hard drives and storage media such as disks.The Government of Canada and the RCMP developed a report for government agencies on how to properly dispose of hard drive information and the risks if proper procedures aren’t followed: www.rcmp-grc.gc.ca/tsb/pubs/it_sec/g2-003_e.pdf. Also, the Privacy Commissioner of Canada offers six tips on how businesses can protect themselves and their customers from identity theft:
www.privcom.gc.ca/id/business_e.asp.
Ready to safely recycle your PCs now? Donate your decommissioned computers to developing nations through Computer Aid International: www.computer-aid.org.
2. THROWING OUT A CELLPHONE WITH THE SIM CARD STILL INSIDE
RISK: Billions of electronic devices are being thrown out, given away, or recycled. When you upgrade your cell phone, you have to move the little SIM (Subscriber Identification Module) card inside the phone to your new phone, but if you’re using a new cellphone carrier or getting a different number, then what do you do with your old cell phone? All kinds of information such as phone numbers, names, credit card info, and company data may still be stored in the SIM. There have been actual cases where people have had sensitive company data and credit card information stolen after a discarded cellphone had its SIM card exploited by thieves.
PREVENTION: For security purposes, never give away or throw away your cell with the SIM card still inside. Remove your SIM card and break it completely. Even better, destroy it in an office shredder that is capable of shredding plastic such as credit cards. And don’t forget to recycle the phone itself. The Charitable Recycling Program of Canada (www.charitablerecycling.ca) offers you a way to donate your cellphones to charity. And Canada’s Phones for Food program (www.think-food.com/en/index.html) allows you to donate cellphones and printer cartridges to support your local food bank.
3. UNKNOWINGLY SHARING METADATA IN OFFICE DOCUMENTS
RISK: When you share a Word, Excel, or other Office file, or post it to your website, you may not realize how much hidden data can be easily retrieved from it. This hidden data or “metadata” is buried within the code but can appear in some circumstances, or can be extracted using software available to anyone. Some organizations have been embarrassed and even sued, and I know of two cases where metadata caused some awkward situations within organizations. The information in Microsoft Office documents that may be inadvertently exposed includes:
› Your name and initials
› Your company or organization name
› The name of your computer
› The name of the network server or hard disk where you saved the document
› Other file properties and summary information
› The names of previous document authors
› Document version, revisions, and comments
› Template information
› Hidden text or cells
› Personalized views
PREVENTION: One very basic thing you can do before you share or publish documents on the web is check the “Properties” information in Microsoft Office documents, which will also allow you to change or update document information. In Microsoft Word (which is usually the worst offender for embarrassing people with hidden data), you can also go to Tools > Options > View and then select “Hidden Text” to ensure you can see any hidden data. Microsoft Help and Support page offers some tips on this, but even Adobe Acrobat PDF documents contain metadata properties that can be seen by search engines.
For all public documents and legal documents, you might want to consider investing in a utility that will reveal metadata in your documents and then give you the option to “scrub” them to remove it. 3BClean offers a free trial where you can try cleaning a document online (www.3bview.com/3bclean.html). Other products include Metadata Assistant (www.payneconsulting.com/products/metadataretail/) and Workshare Protect (www.workshare.com/products/wsprotect/), which also scans documents for sensitive information such as credit card numbers, passwords, etc.
4. STAFF ACCESSING WEB-BASED EMAIL AT WORK
RISK: Everyone likes to be able to access their personal email account at work through web-based email accounts such as Gmail, Yahoomail, or good old Hotmail. In office environments, Internet access is provided to staff and management through servers in a neutral area on the network often called the “DMZ” (demilitarized zone). When employees access their email through websites, this can create a dangerous “back door” through your company’s security firewall so that viruses, Trojans, worms, and hackers can potentially exploit your network.
PREVENTION: Rethink your staff’s web privileges. If you don’t already have an Internet usage policy in place, develop one now. And if you do have a policy that doesn’t forbid the use of webmail and web-based accounts, have a discussion with your IT support staff, your Internet service provider or an IT security consultant about what changes should be made. If you still want to allow staff the freedom to use the Internet at work for some personal purposes, at least make them aware of some of the dangers of visiting questionable sites and opening up unknown attachments in webmail accounts.
5. STAFF BEING VICTIMIZED BY “PHISHING”
RISK: Many of your staff may already be familiar with the term “phishing” — a scam where an email or a website disguises itself as a legitimate organization in order to trick you into keying in your account number, credit card number, or password. For example, an email purporting to be from the recipient’s bank asks the recipient to log in to their account, but when they do, their information is stolen by an information thief. While staff may be wary about giving out their own banking or credit card information, they may be less cautious when dealing with company matters.
Of course, there are many other ways that enterprising thieves can steal information from web browsers on workplace computers. When someone copies a number or password in order to paste it into a form, web page, or document, the copied information remains on the computer’s clipboard until the next time something is copied. On shared computers, this means that someone else could find out what’s on the clipboard. I’ve had the experience of seeing someone’s entire flight itinerary, credit card number, and all, from the contents of a clipboard. As well, web servers can sometimes read the contents of your clipboard when you’re visiting their site if you’re using a version of Internet Explorer!
PREVENTION: Staff may require some brief seminars or presentations on Internet scams such as phishing. Remind staff never to provide company account information or other sensitive data when it is requested by email. Nor should they click on an embedded link in an email to take them to a login page. As for clipboard contents, your office can always start using a safer browser such as FireFox if you’re worried about Internet Explorer’s security flaws. Software such as Clipboard Clear (posum.com/id15.html) allows you to secure your system by preventing use of the PrintScreen key. It can also prohibit other general uses of the clipboard for greater security.
6. STAFF USING PORTABLE STORAGE DEVICES
RISK: Your executive assistant and other staff probably find that little memory stick or SD disk handy to help them move files from one computer to another within your organization, or when staff want to work on some files at home that are too large to be emailed. As handy as they are, these devices — including anything with storage capacity, such as iPods and Blackberrys — can also create risks for business owners.
Staff may unknowingly transfer computer viruses and worms from their home PC to their PC at work.
Staff may lose the personal storage devices, and if they are not encrypted (password protected), anyone finding the device could access confidential company or client information.
In some cases, staff may also be using personal storage devices to steal information from a company for personal reasons, industrial espionage, or other criminal purposes.
PREVENTION: Educate your staff. Limit those who have permission to plug in personal storage devices. Or even ban them outright, as many organizations have done.
7. DOMAIN NAME POACHING
RISK: It happens all the time, but it’s dangerous to your organization’s image and reputation. Cybersquatting, or domain name poaching can happen in several different ways, but the end result is always complicated, discomfiting, embarrassing, and sometimes costly. In some cases it happens when whoever is responsible for registering your company’s domain names forgets to renew the annual registration, doesn’t receive the reminder notice from the registrar, or perhaps leaves the company without transferring domain name registration duties to another staff member. Domain name poachers, scanning the web for popular domains that have recently expired, purchase the registration themselves. Then they can either try to sell it back to you at a higher price or, more often, they use the domain name to create a website that will take advantage of your regular web traffic. For instance, you might have a business that sells children’s clothing, and a poacher might set up a site that promotes child pornography. This kind of mistake on your part could offend and alienate your customers.
Another example of poaching is where cybersquatters purchase a domain name similar to yours, but with a different top level domain; e.g. your domain name is acmeconsulting.ca and they develop an alternate site on the domain name acmeconsulting.com. If potential clients type in the .com version by mistake, they will be directed to the wrong site, or if the listing in the search engines is similar, they might click on the wrong listing, thinking they were accessing your site. Some cybersquatters even buy misspellings of popular domain names (e.g. micorsoft.com) because when a site has millions of users, even a small percentage will misspell the name.
PREVENTION: Don’t think it’ll happen to you? That’s what they all say. Make sure that the administrative contact information for your domain name account is kept up to date and that an alternate email address is provided so that if a staff member suddenly leaves or is fired, someone will still receive domain name renewal notices. You can also register your domain name for up to 10 years so that renewals do not come up often. To prevent domain name poachers from buying similar domain names, you can pay for “defensive registrations,” which means registering them in your company’s name so they are no longer available to other buyers.
