The vCISO’s Critical Role in the Clean Desk

When Albert Einstein famously quipped, "If a cluttered desk is a sign of a cluttered mind, of what, then, is an empty desk a sign?" he was certainly not thinking about information security and data privacy regulations.

According to the SANS Clean Desk Policy Template, "A clean desk can produce a positive image when our customers visit the company." They advise us to maintain a clean desk, not only because of the aesthetics but also because it is important in ensuring our companies' security, by keeping out of sight the sensitive information about our employees, customers, intellectual property, and much more.

While office visitors are on hold for now, and for many employees, their work desk has transformed to the kitchen table or living room couch, sooner or later our life will go back to normal, and we should not forget to pay attention to our security.

The shift in Attack Vector

It's old news at this point that throughout COVID-19, work-from-home and home office workers are being targeted with phishing, bogus collaboration apps, and other malicious campaigns. Due to WFH and COVID-19-crisis, cybercriminals took advantage of organizations' delayed technology, security updates to email, access controls, and using social engineering to prey on remote workers.

Recently the FBI warned of an increase in social engineer Vishing attacks. These phone call "voice" attacks highlight the shift to less technical campaigns that bypass corporate technical security controls such as firewalls, intrusion protection, and antivirus systems.

Spotlight on Policies

As we were approaching the one-year anniversary, when employees began moving to remote work and sharing their workspace with their household members. The concern is employees may not be as mindful of their remote work surroundings and corporate policies while working from home. While working from home is no excuse to drop your guard and to be less cautious with company data, does the Clean Desk Policy need to change to protect an organization and its data?

The stepchild of the Written Information Security Policy, the Clean Desk policy is often owned and overseen by Compliance, Legal, Information Security, and even Office Operations. The “Clean Desk” policy is finally getting the attention it deserves, and now is our chance to give this often forgotten and overlooked Policy an upgrade.

Reviewing and updating corporate policies is typically an annual “to do” list item unless a significant change or event triggers an update. These days corporate Information Security policies such as the quickly evolving Work from Home policies have as many variants as COVID-19, but this Policy takes the spotlight from all others. The Policy has changed more in the past year than the others, and if you have not updated your Clean Desk policy, now is the time.

Don’t Forget the Basics

At its core, the Clean Desk Policy still makes complete sense and should easily transfer to working from home. Basics such as:

• At known extended periods away from your desk, such as a lunch break, sensitive working papers are expected to be placed in secure locations.

• Lock away portable computing devices such as laptops or tablets.

• At the end of the working day, the employee is expected to tidy their desk and to put away all office papers.

• And much more.

Complexity Creates Obstacles

Trade secrets, intellectual property, the alphabet soup of privacy regulations, and data protection make it obvious the Clean Desk policy is just as important during work from the home office as it was in the corporate office.

Where the Clean Desk policy gets complicated is when discussing non-physical assets. For example, you will likely need to update clean desk policies to address the need for employees to review and discuss company information in a private setting. The definition of a private setting can also get confusing, especially in a home filled with remote learners, working family members, shared printers and monitors, and don’t forget smart devices such as digital assistants, speakers, and security cameras.

As we have seen recently from Forbes article “Is Joe Biden’s Peloton Bike Really A Cybersecurity Risk?” when working from our exercise equipment may also cause a security risk, and you may want to include it in your updated, clean desk policy. It also gives me an idea for a future blog post – “Why dumbbells are more secure than smart workout equipment.”

Role of the vCISO

The Virtual CISO is charged with the continuous risk assessment, which includes making sure information security policies are a reality and reasonably enforced. If your client implements a “clean desk” policy in the physical corporate office, require employees to follow the same policy in their home office. The vCISO should update training material to highlight the best practices for protecting company data while working from home. Also, consider offering specialized role-specific job training to ensure that high-risk employees such as HR staff are well trained to ensure that policies are being properly implemented.

The pandemic has provided vCISO’s the opportunity to highlight home security’s importance to clients, especially employees working with sensitive data. Cyber awareness training that was developed for in-office best practices such as “don’t speak about sensitive business in a crowded elevator” must be modified to “don’t speak about sensitive business during your spouse’s Zoom meeting or near your Alexa digital assistant. The vCISOs must adapt training to cover remote-work and home office situations.

Perform regular audits and surveys of home and remote offices. Among the most significant threat vectors is unmanaged and poorly secured home technology, such as the many IoT devices that include microphone and camera features. Most employees have made investments in home office technology since the start of the pandemic, making frequent audits even more important.

Education is key to protecting the “clean desk.” A significant problem, unfortunately, is that remote employees don’t perform regular backups, and data saved on local drives will be lost if a device is damaged or, worse, stolen. Data backups and disaster recovery measures need to be thoroughly reviewed and part of Clean Desk training.

The prevailing message behind all these steps is abundantly clear. Businesses big and small need to continue strengthening their cyber policies. The COVID-19 pandemic is continuing in 2021, and no organization wants to be unprepared for what happens next. As a vCISO, we hope for the best while we prepare our clients for the worst.

Sources:

Meola, Andrew. “A Look at Examples of IoT Devices and Their Business Applications in 2021.” Business Insider, Business Insider, 27 Jan. 2021, www.businessinsider.com/internet-of-things-devices-examples.

O'Flaherty, Kate. “Is Joe Biden's Peloton Bike Really A Cybersecurity Risk?” Forbes, Forbes Magazine, 20 Jan. 2021, www.forbes.com/sites/kateoflahertyuk/2021/01/20/is-joe-bidens-peloton-bike-really-a-cybersecurity-risk/?sh=5c9e738655e9.

Gatlan, Sergiu. “FBI Warns of Vishing Attacks Stealing Corporate Accounts.” BleepingComputer, BleepingComputer, 18 Jan. 2021, www.bleepingcomputer.com/news/security/fbi-warns-of-vishing-attacks-stealing-corporate-accounts/.