Sitting in the train from London to Manchester yesterday, my passenger an HR Manager in a leading UK Bank pulled out her laptop and started reviewing the numbers for her department, a spreadsheet that contained details of a month-on-month comparison for the business and made for very interesting reading. Next she started on the report that gave me a detailed understanding of the business model and the financials which according to me was very confidential and should have not been out in the open.
This report mentioned a few names that were based out of the practise in Mumbai and indicated the next moves that involved promotions and team details. Not being content with this, I accessed the internet and figured out her role in the organisation, her colleagues(named in the emails) and their roles within the department and the nature of the business. As the journey progressed, I also was able to review a tribunal case that was in progress of an individual within the organisation.
I am sure that this bank does have a great information security program and regularly holds security awareness within departments, but one does not have to enter the building to get data, this data is provided to the external world by the employees themselves. Employees want access to the data and want to be a part of the mobile workforce, but then this exposes an organisation to great security breaches. I’m sure that a privacy screen would have helped in this case and would have been a very effective solution.
Just for a moment imagine that I was a news reporter, or had a malicious intent; further digging could have yielded more useful information. I have informed the bank that their security awareness should improve.
Employees must understand that with great freedom comes great responsibility.