Non-Electronic Weaknesses and Vulnerabilities
This section features examples of non-electronic situations corporate spies could exploit to obtain information from a company or a situation. We always evaluate the areas we work in for more than just electronic ways information can be taken.
Look at the pictures of the paper shredder receptacles below. The one on the left is the output from a 1/4" strip cut shredder cutting up one page. The one on the right shows one page having been run through an inexpensive cross cut shredder. The one on the left has 34 pieces; the one on the right has approximately 360. Which one offers at least a minimum degree of security? Strip cut shredders don't begin to provide protection until 25 or more sheets have been cut.
If you must use strip cut shredders, shred everything, particularly if the shredder is the type that sits on top of a waste paper can. Shredding only sensitive papers red flags them as being important if everything else in the can is whole. Then stir the contents to further jumble the results.
Install shredders where they are convenient to use: at admin work stations, in executive offices, next to copy machines, by network printers. If shredders are not conveniently accessible they will not be used. If it is not feasible to provide lots of shredders, consider a centralized shredding function with secure containers placed throughout the facility.
Test your shredder. Inspect the output to make sure pages are being destroyed.
This picture shows a page we ran through the client's high volume shredder.
It only creased the page and didn't shred it at all. Not much protection here.
Document Destruction Services
Some businesses use document destruction services. These services provide containers for storage of sensitive documents. If you use this type of document destruction method, check the containers!
We've found that frequently they are secured by a 4-pin or a 6-pin tumbler lock. These locks are not pick resistant and can be opened quite quickly.
Other containers don't have a barrier to prevent documents from being pulled out.
If your containers have either of these features, or if they have flimsy hinges, you have very little protection. See below.
Be certain to lock away sensitive information.
Here are a couple of examples of what not to do:
One large consumer products company went through a lot of effort to package their annual world-wide marketing plan in nice looking binders. The executives were proud of how it looked and most left them out on their credenzas or on their coffee tables. Anyone strolling through the offices could have picked up a copy. Offices were not locked after hours and the cleaning crew was supplied by the building management. They left floor access doors ajar for convenience.
Another company created a detailed executive protection manual. In it were the home addresses of all of the key executives. Also included were the locations of their vacation homes. For additional benefit of the protection guys, you could find the alarm system access codes for each residence, local law enforcement response times and corporate security response plans for a variety of scenarios.
It was a detailed plan and showed the kind of effort the security department put out, but it was left out in plain sight on an executive's coffee table.
In the corporate counsel's office in a publicly traded company there was a letter, the only document on the attorney's desk. It was from a law firm representing a major investor. In part, it said "we have reviewed the financial information you sent last week and, frankly, we do not have a clue how you can avoid Chapter 11 bancruptcy." There was one locked door between this office and the parking lot and no barriers at all between the night shift and the office.
The company did survive, but what might have happened if this letter was made public? Anyone from the night shift could have strolled into the office.
Log off the network. Shut off the PCs at the end of the day.
Many times we've seen sensitive information on the computer monitor because the user didn't close a document or how many times files could have been download from the company's network and copied because the PC was still logged on.
Physical Security Matters. Repeat this twice.
This applies to both locks and keys and to security systems. Here are some examples of serious weaknesses we've found of various surveys.
The client's elevator lobby was required by fire code to have an emergency egress switch to override the access controlled doors into their offices. The switch was a break-glass type and when the glass broke, the spring loaded switch would close a contact and unlock the door. It turns out that the bezel holding the glass could be unscrewed from its housing. Unscrewing the bezel a few turns allowed the switch to open enough to cause the door to unlock, allowing anyone in the public area of the elevator lobby to enter their premises after hours undetected. Scary.
The client, a large law firm, had recently invested a great deal of money in new file cabinets that were equipped with electronic combination locks. This would let the files to be locked at all times, since the default state of the cabinet lock was secure. However, the default combinations had never been changed. If you wanted to open the top file drawer, you pushed "1". If you wanted to open the next one down, you pushed "2". And so on. Get the picture? The client thought they were adding a level of security, but the net effect was nil without proper implementation.
The alarm system installer for the small business wanted to save some time and aggravation. Rather than pulling the cable from the magnetic contacts on the front door through the fiberglass insulation filled ceiling on the interior of the office space, he ran them in the suspended ceiling in the public hallway outside the offices. Push up a ceiling tile, cut the wires, and you're in.
The door to the telephone equipment room was a solid core fire resistant slab type door. It was equipped with a heavy duty lockset with a pick resistant high security core. However, the jamb wasn't installed very well and there was too much of a gap between the jamb and the door. With a good tug on the lockset, you could free the latch from strike and stroll on in.
These are only a few of the examples of potential problems we have identified during our surveys. Protecting a business against theft of information or of physical property is requirement these days.