Hurrah! Security advice that you can implement instantly, without spending any money! Product Director Richard Beeston shares a tale of #CyberStupidity…
Like many people, I regularly commute via train. It’s normal to see lots of people working away in the mornings, and while more people are watching films or TV in the evening, there are still plenty of people who bookend the day with some solid email sorting and document creation – I myself like to use the journey home to catch up on admin activity like sorting my inbox.
But what, you may ask, has this got to do with anything?
I have been asked to write a many articles in my time but was stumped recently with a security-related request – until this train journey. We’ve all heard the headline-grabbing side of security, and how code is being weaponised to hold institutions like the NHS to ransom. But we often forget that most security infiltrations don’t come on such a massive scale. Many will still come via the most innocuous of paths, and it’s an example of this that I have chosen to share with you.
The day in question was normal; I’d been in London for meetings and was heading back to Derby on the 18:02. Sat at my table, I contemplated opening my laptop and working and as I continued to think about it, the train inevitably filled up until eventually, I was sat across the table from a well-heeled gentleman who, I’d happened to notice, had a briefcase. These days, briefcases are generally replaced by the backpack so this piqued my interest and instead of working, I decided to just sit and people watch for a while.
With the journey now underway, our commuter proceeded to retrieve a large stack (about 5cm thick) of papers from his briefcase. These papers were then placed on the table and his work commenced. Like many of us, I’m becoming unaccustomed to seeing large amounts of paper as I do a lot of things electronically nowadays, so I continued to people watch. As pages turned I was astonished to see that our subject had printed out his emails and was proceeding to make notes on them for what I can only assume would be his replies. I was now captivated. As the reems and reems of pages continued to turn, it was clear that not only were the emails printed, so were the attachments – all left on show for at least his three travelling companions around the table to see.
Over the past year, I have moved to making notes on Microsoft OneNote and embellishing these notes with pictures. I was recently introduced to Office Lens , a very powerful application which, amongst other things, lets you take pictures at an angle and straightens them out – very useful when at a conference or seminar and you need a picture of the screen or board. It also crops the pictures and has specific settings for screens, whiteboards and papers.
As it happens, the app is also great for more nefarious purposes…
As the journey continued, I thought this would be a good test of social security and the awareness of people around me as well as a good test of the Office Lens app. I was using my iPhone X to read a book (the idea of doing my own work now a distant memory), so I simply swapped over to Office Lens and was able to take a few clear pictures without anyone noticing – one of an email and the other of a Microsoft PowerPoint deck.
From the former, I was able to get our commuter’s name and the names of his colleagues. Their email domains were also a clue to where they worked. I swapped to LinkedIn and was able to quickly ascertain the chap’s company and job role (he should have known better working in the legal profession). From the PowerPoint slide, I was able to see that his organisation had marked the material as sensitive owing that it related to budgetary considerations, multi-year plans for moving facilities and named individuals involved in these projects.
You may by now be wondering what the point of all this is and asking “Shouldn’t this have turned into a sales pitch by now?” Well it could have been, but I really didn’t want to write it as that – it was more about shining a light on the fact that basic security precautions are still very important. Sure, Daisy Corporate Services can provide security information and event management and other services from our security operations centre (SOC), and yes, I can tell you about our Business Continuity portfolio and secure Connectivity with built-in defence against DDoS. Not to mention our policy-driven networking solutions and secure-by-design hybrid cloud services.
What we can’t sell though is common sense and awareness – and those are the things I really want you to take away from this story. So next time you’re on the train or working in a public space, please think about who is around you. Maybe a simple screen filter will suffice (Daisy sell them), or maybe you should just get a book out instead of working. But please, I implore you, be aware of what you are doing and what people may be able to see.
(Also, please think before you print as well! We really need trees).
Footnote: all data, photos and information have been deleted or fabricated.