Featured Video
This Week in Quality Digest Live
Management Features
Willie Davis
Use this production tool to identify processes and establish priorities
Alaina Love
Clearing a path for opportunity
Jared Evans
A people-first approach to a classic tool
NIST
Context plays a critical factor in why users click on a phishing email
Jama Software
Teams must be able to access, collaborate, update, and test each requirement through to project completion

More Features

Management News
The FDA wants medical device manufactures to succeed, new technologies in supply chain managment
Preparing your organization for the new innovative culture
Standard recognizes that everyone is critical to a successful quality management process.
Pharma quality teams will have performance-oriented objectives as well as regulatory compliance goals
Management's role in improving work climate and culture
Work with and learn from some of the nation’s best people and organizations
Cricket Media and IEEE team up to launch TryEngineering Together

More News

Dirk Dusharme @ Quality Digest

Management

Loose Lips Sink Companies

A cautionary tale

Published: Thursday, July 19, 2018 - 12:03

If asked whether you guard your company’s secrets, most of us would say, “Well, of course I do.” But I’m guessing that if you are a remote worker, or do any work while on the road, you are blithely handing out company secrets and don’t even know it. If nothing bad has happened yet, it’s only because the right (or wrong) person hasn’t been near you as you shared critical company information.

According to Gallup, 43 percent of employees work away from their team at least some of the time. Meaning, at home or elsewhere. And by elsewhere I mean Starbucks, your favorite café, the auto repair shop, the airport, or a doctor’s office. Most remote workers take their laptop with them if they know they are going to be waiting for something. Why waste time, right? And that waiting area is very often a public place.

Or maybe you aren’t technically a remote worker, but you are often on the road and keep in constant contact with your office over the phone or email. You may even log onto a corporate portal, VPN, or even a cloud app to get some work done. It is so easy to work remotely that eventually anywhere seems like your office. Except it isn’t. It’s public. And, not to be paranoid, but you don’t know who’s listening.

As an example, the other day I took my car into the shop to be serviced. As with a lot of other people, I work out of my laptop so I can work anywhere there’s WiFi (or from my mobile hotspot if there is no WiFi).

I sat down, cracked open my laptop, and got to work. A few minutes later a young woman sat down across from me and also brought out her laptop. Obviously she was trying to get some work done as well. In her case, it was personal work.

For the next 15 minutes or so she was on her computer and her cell phone, setting up doctor appointments and doing other personal tasks. None of that is particularly unusual. I do that as well. Nor was it unusual, unfortunately, that her cell phone conversation could be overheard, certainly by me, but most likely others as well.

No, this is not the beginning of a diatribe about using your cell phone in public. We all do it. Rather, this is a cautionary tale. Because during those 15 minutes I learned not only her full name, but also her date of birth, her cell phone number, and her home address. I have a daughter a bit older than that woman (I know this because I overheard her exact birthdate), so it was a bit scary to think that someone who might have heard this conversation could now phone, text, or even visit her at home.

But that’s not all. I also overheard her setting up a doctor’s appointment. With just those small bits of information, I could easily have spear-phished her social security number and quite likely a credit card number within about five minutes.

It’s amazing to think about the amount of damage I could have done just by overhearing an innocent phone conversation.

And that was personal information. If we are that blasé about revealing private information in public, information that could lead to physical or financial harm, how much more easy is it for us to reveal damaging information about our company? Presumably, if I don’t care about my personal privacy, I could care even less about my company’s.

How often have you shared login credentials over the phone with a co-worker? Or sales figures. Or upcoming sales. Or even something as mundane as a quality failure. In the wrong hands, how devastating would it be for a publically traded company to see a tweet about an internal issue that it is trying to resolve? Or how about a competitor learning about an upcoming sale... or a lost sale?

The next time you travel, just listen to the phone conversations around you. You will hear at least one business conversation. If you were a bad guy, it would be easy enough to strike up a conversation with that person. From that you get a company name and employee name to go with that inside information.

And it’s not just verbal conversations. Wander around a café or airport, and look at how many people have laptops open to not just Fox News, CNN, or YouTube, but to spreadsheets and Word documents. Someone could stand behind you with a cell phone nonchalantly aimed at your laptop, recording what’s on the screen. In an airport, you wouldn’t even notice.

This all may sound a little alarmist. And granted, the odds of the wrong person being next to you when you inadvertently start sharing company information are pretty slim, and there are many obvious advantages to working when you have the chance. So it’s all about risk management. It’s not that hard to take some simple precautions to safeguard your work while still getting work done.

Here are a few common mistakes we make when we work in public, along with some simple safeguards.

• Making phone calls that really shouldn’t be overheard because they contain valuable personal or company information. If you have something to say that needs to be private, go to a private place, or at least watch your volume.
• Keeping sensitive company information on your computer. Instead, keep that information on the cloud or a corporate server. I know, cloud-based resources can be a pain in the rear, especially if you don’t have good internet. But... see the next item.
• Not logging off of your computer before going to the bathroom or to order another latte. All it takes is someone to snatch your already logged-in computer with all your stuff on it. Yes, a knowledgeable person could still get into a logged-off computer, but why make it easy for him? It’s all about levels of security.
• Using a public WiFi that you aren’t sure about. By that I mean, are you really logged onto the café’s WiFi, or have you connected to something else? Check. It’s easy enough to do. Just ask the counterperson what the name of the WiFi is (the SSID). This is a real problem in huge public spaces like airports, which often have bogus WiFis waiting for you to log into. The public WiFi name is usually posted in airports or train stations, so check for it before connecting. Forbes has a good write-up on how to safely use airport WiFi.
• Sending sensitive information over email or instant message. We all do it. I still do it, because the odds of someone electronically intercepting my email or IM are pretty darn low, and my information is rarely that sensitive. (Do you really care what next week’s big news item is?) But, if your information is really sensitive, the safest bet is to not share it electronically in a public space. Our web developer, for instance, will not give out login credentials for our various apps over email or instant message. He insists on doing it over the phone... privately. Or as a shortcut, if he is just trying to jog my memory, he might IM me, “Use 3g2x%,” knowing I will understand that those characters are part of a larger password that I should recognize.
• Looking at sensitive information like your bank account or your company’s internal records on your laptop where anyone can look over your shoulder. If you’re going to look at that stuff, position yourself so your back and your screen are facing a wall.

None of these are particularly painful, except for maybe the cloud thing. It’s really just common sense. Think about what you are about to talk about or look at, and ask yourself if that is information you would want someone to have. If not, then be aware of your surroundings and act accordingly.

By the way, I did point out to the woman what I overheard, and that she might want to be more careful. I think she was more taken aback by this unshaven old guy giving her security advice than she was of what I learned. But I’ll bet she remembers the conversation.

Discuss

About The Author

Dirk Dusharme @ Quality Digest’s picture

Dirk Dusharme @ Quality Digest

Dirk Dusharme is Quality Digest’s editor in chief.

Comments

Excellent article

This is something of which I was not aware: "This is a real problem in huge public spaces like airports, which often have bogus WiFis waiting for you to log into." It would not surprise me if the scammers create a WiFi address that looks like the legitimate one to get people to connect to it. Airports meanwhile need to be better at posting the authorized address; I have often had trouble finding it.

Bogus WiFi

Yeah. If you follow that Forbes link in the article you see a pretty good write-up on it. Very often the SSID will be something like "Free WiFi" or something enticing. Usually, I have found, if you try to connect to those WiFi sources, they won't work. But sometimes you get through to a logon web page that looks a bit suspiscious, or sometimes is so full of ads that you can't even use it... which I suspect might be the reason for the site. Not so much to steal info but to gather a jillion ad views. In any case, your mobile hotspot usually works better than any WiFi I have ever found in an airport. The airport WiFi usually seems to be so overloaded that using it is painful. Would rather eat up some of my phone data.

Credit Card Comedy

I was on one of Denver International Airport's passenger trains when I overheard a woman half way down the car trying to order something over her phone. She kept repeating her credit card number loudlly. The passengers around me were looking at her quizzically. I said, "Hey, let me write that down." Everyone laughed. She mindlessly ignored the laughter.

Remember: You are not alone in the universe. You are not in a phone booth. You are in public and everyone is listening unless they are on their phone too.

Younger generations

Great article Dirk. I must confess, as another older fellow, that I continue to be astonished at how "open" the younger generations are about their personal info, relationships, health issues, etc. There was a time... when personal matters were private matters. A number of times I've asked bank employees, government employees, health care employees (usually at a window or reception desk) if we could speak more privately or quietly--in every case their response was cooperative, showing that they recognized some information should not be shared so loudly or openly. It's just that our behaviors don't reflect that value, until we request it. .