T 3.44 Carelessness in handling information

It can frequently be observed that there are a number of organisational or technical security procedures available in organisations, but they are then undermined through careless handling of the specifications and the technology. A typical example of this includes the almost proverbial sticker on the monitor containing a list of all access passwords. Numerous other examples of carelessness, negligence of duty, or recklessness when handling information worthy of protection can also be found

Examples:

• Employees often disclose the most confidential information about their company using mobile telephones on trains or in restaurants. This information is not only heard by the person on the other end but by everyone around as well. Examples of particularly interesting internal information disclosed this way include,
  why the contract with another company didn't go ahead
  or
  how many millions the planning error in the strategy department cost and how that could bring down the company's stock rate if anyone found out about it.

• Often, it is necessary to take along a notebook, an organiser, or other mobile data media on business trips. It can frequently be observed that these are left unattended in the meeting room during breaks, in the train compartment, or in the vehicle. The data stored on these mobile IT systems is often not backed up anywhere else. If the IT systems are stolen, the data is irretrievably lost. In addition, a thief may be able to profit from selling potentially sensitive information if the thief is able to easily access the information due to a lack of encryption or inadequate access protection.

• One reason for taking along a notebook or files on business trips is to be able to make productive use of the travelling time. This practice often provides fellow travellers with interesting insights, since it is virtually impossible to prevent the person sitting next to you on a train or aeroplane from being able to read the documents or the screen.
  
  Publicly accessible areas, e.g. hotel foyers, hotel business centres, or train compartments, generally provide little in the way of privacy protection. If the user enters passwords or has to make changes to the configuration, an attacker could acquire this information with little effort and misuse it.

• Articles regularly appear in the media about government agencies and companies whose paper recycling bins in the backyard contain highly sensitive documents. For example, payroll information on all the employees in one company and the private phone numbers of a company's board of directors became public knowledge in this way.

• If IT systems are defective, they are usually sent in quickly for repair. Once a malfunction has occurred, it is usually no longer possible to delete the data stored on the IT system affected.
  
  When a failure occurs, the top priority is usually restoring the operational condition of the device as quickly as possible. For this reason, many specialised suppliers offer a special customer service by simply replacing the defective components and sending the customers back home with a working system.
  
  However, there have been a number of cases where such customer service providers were able to resolve the problem quite quickly during subsequent examination and the next customer was then given the now repaired device just as courteously - including all the data belonging to the previous customer.