October 26, 2015

Implementing a Clean Desk Policy

Whilst most people, wrote an online blogger at a security website, would be horrified to think that they had left sensitive paperwork in a restaurant or some other public place, many of those same people routinely leave sensitive material in full view on their desks in the office.

Identity thieves in the workplace can steal information in an instant – whether they visually steal it, take a picture, or remove a hard copy. While there are many strategies an organisation can use to minimise the risk of a data breach, an office Clean Desk Policy is one of the most basic – and efficient.   

A Clean Desk Policy specifies how employees keep their working space.

“Setting aside time for the structured filing of information is time well spent,” wrote data security consultant Michael Cobb of Cobweb Applications Ltd. in an online blog.

How a Clean Desk Policy is introduced to the workplace can make all the difference. Here’s a plan:

Write it Down: Create a Clean Desk Policy with clear 'dos and don’ts'. Almost one-quarter of British companies in the banking/financial services sector still don’t – even though this is the sector consumers trust most with their information, according to Stop-idfraud.co.uk.  

High level staff are onboard: “Showing that the very top levels of an organisation are committed to preventing and detecting fraudulent and unethical behaviour, has a trickle-down effect on the rest of the organisation,” wrote Daniel Cook, of CIFAS, an independent fraud prevention service in the UK.  

Communicate: Ensure all employees read and sign a copy of the policy. Use constant reminders in the workplace too. For example, create an email signature such as ‘please keep the workspace tidy and protect all sensitive information all the time’. Put up posters, and reiterate the importance of compliance to the Data Protection Act in employee communications.

Support: Organise the physical workspace so work areas are private and other people can’t see computer monitors, said Cobb. Provide secure storage facilities for documents and portable electronics. Desk drawers and filing cabinets should lock, or provide lockable storage boxes. Equip computers with digital data security.  

Paperless initiatives:  Ask employees to work with electronic documents when possible. Not printing out documents and handling physical papers will help keep desks cleaner.

Document Management Policy: All confidential data should have a designated ‘owner’ who is responsible for processing and storage. The policy should extend to meeting rooms (confidential information should never be left behind on notepads, flip charts or handouts) and printers and faxes (documents must be removed immediately for filing or disposal).  

Document Destruction:  Embed secure disposal of documents into day-to-day operations. Partner with a shredding service and replace any open recycling and waste bins with conveniently placed locked consoles that store documents that are no longer needed. Secure shredding services should be regularly scheduled.  

Enforcement: Determine a realistic enforcement policy. For example, consider nightly checks and whether ‘notes’ are issued to remind those not following the policy.

Protect electronic data from theft too, with secure hard drive shredder and data destruction services.