Physical Data Breach: Visual Hacking and Clean Desks. Updated advertising, new marketing campaigns, manufacturer incentives, and the creation of a sales-friendly environment in your showroom may increase traffic. However, not every person who wanders in will be intent on buying a car. Most may be shopping, but not all may be shopping for a car: paper credit applications on desks, open credit reports on laptops, papers containing sensitive data in the trash, or keys left out on desks are a few of the items malicious actors are looking to exploit at your dealership. Creating and using a Clean Desk Policy can be a very effective first step in securing your dealership from this type of physical data breach resulting from visual hackers.
Consider the following when creating a Clean Desk Policy.
Is there sufficient space for employees to put away papers during the day? Are desks and cabinets locked at the close of business each day and cleaned out regularly? Are employee workstations cleaned out immediately upon termination? Are notebooks, personal calendars, or other media left out and openly accessible? These often contain data such as contact names and phone numbers which a hacker can use in combination with other data to create a false profile. Shared desks may limit the amount of personal information employees leave at the workstation, as well as discourage the “lived-in” look.
Are devices equipped with privacy screens? Is the use of sticky notes with username and passwords on or near devices strictly prohibited? Are devices inventoried and assigned to individual employees? Having devices assigned to groups of users may limit personal responsibility for the security of the device and should be a consideration in equipping workstations.
Are phones and portable devices such as USB memory sticks available, left out on desks, or shared? Consider placing limitations of what categories of data may be saved to a portable device, especially a personal unencrypted device.
Digital Over Paper
Do employees store duplicate copies, i.e. both paper and digital, of documents with sensitive information simply as a habit? Has management made a point to encourage minimal paper use? When paper is used, are shredders available, locked, and emptied routinely by a reliable third party instead of using open trash bins?
Are all fax and printers cleared of paper as soon as each document is printed? Do employees have permission to shred papers with personal information if found on the machines? Are whiteboards erased after meetings and papers or notebooks cleared from conference rooms when not in use?
Are documents containing sensitive data kept segregated in locked offices with locked cabinets? Is access to these areas controlled?
Management Sets the Tone
Finally, does management set the tone and expectations in the dealership by following the Clean Desk Policies and Procedures? When management keeps a consistently tidy workspace with materials organized and regularly cleaned out, employees tend to follow.