December 17, 2015

Introducing a Clean Desk Policy: How to Make it Work

“If a cluttered desk is a sign of a cluttered mind,” said Albert Einstein sometime in the early 1900's, “then what are we to think of an empty desk?”

While he was talking about creative thought, in today’s world, a clear workspace is all about information security.

Many companies are now implementing clean desk policies, which specify that documents containing confidential information are removed from a desk or computer screen and locked away when not in use or the employee has to leave the workstation.

For successful implementation, here is a Clean Desk Policy checklist.  

  • Make it an official policy with a clear start date and visible office support including buy-in by senior management.
  • Put the Clean Desk Policy in writing and make it part of the culture of security in the workplace. Be sure it is communicated to all new employees.
  • Provide a list of items that are allowed at work stations such as pc/laptop, inbox/outbox, pens, stapler, and clear folders.
  • Support paperless strategies in the office. For example, don’t print emails unnecessarily.
  • Support secure workplace procedures. For example, all desks should have lockable storage. There should be routine back-up of electronic documents. Remove open recycling bins; instead, partner with an information destruction company that provides locked consoles for documents that are no longer needed.  
  • Educate employees about visual hacking, which is a low-tech method of stealing confidential information. The 2015 3M Visual Hacking Experiment conducted by Ponemon Institute found that in nearly nine out of 10 attempts, a ‘planted’ hacker was able to visually hack sensitive company information such as employee access and login credentials. “A hacker often only needs one piece of valuable information to unlock a large-scale data breach,” commented Larry Ponemon. Emphasize clear computer screens when employees are away from the desk.
  • Use posters, email alerts, etc., to regularly communicate important aspects of the policy. For example, keep desks clear of sticky notes that contain passwords, angle computer screens away from high-traffic area, and secure smartphones and laptops when they are on desks.
  • Provide physical security, and advise employees to protect access cards and keys at all times. Reconsider open floor plans, which pose a greater threat to visual privacy.
  • Create guidelines for outside of the office, and equip mobile devices with privacy filters. An earlier Visual Privacy Productivity Study by Ponemon showed that employees were twice as productive working in a public place when their visual privacy was protected.
  • The policy should stipulate that when an item is lost or stolen, security is immediately notified. The 2014 IT Security Risks Survey by Kaspersky showed that only half of employees reported the loss or theft of a mobile device within one day. But if the device wasn’t locked, whoever had it might be able to access information. Security personnel can’t take any steps to protect sensitive data until they know the device has been compromised.

Leaving a skeleton staff to manage during the holidays? Make sure the office stays secure with a clean desk policy.