Blog / Now I Lay Me Down to Sleep …
- The main office entrance (in an office tower) was completely open; no entrance doors – just walk off the elevator and into their reception. Thus, no door to lock at night. There was no security in the office tower main-floor lobby.
- The washroom was located off of the reception down a hall that lead to part of their corporate offices. There were no locks on any doors; anyone could access the private offices during a busy time in reception without being noticed.
- The receptionist was changed out several times a day. All were well meaning and courteous, but they clearly did not have security in mind as I was able to walk about freely – including down to their 2nd level which contained meeting rooms and private offices. My credentials were nothing more than a confident walk and a smile.
- The receptionist’s computer screen was easily visible to anyone in the reception area. I was able to view worker’s calendars and Emails coming into the company.
- The meeting room had a door, but no lock. Several important documents were left unattended during break times, as were computers.
- During breaks, I was left to roam about the 2nd floor offices by myself. Most private offices had doors left open. No one paid any attention to me.
- Their corporate WiFi was visible on my Smartphone. I didn’t try to login, but a simple password cracker could have probed for access.
All of this in a multi-million dollar corporation with 60 – 80 professionals as employees; this is not the local Ma-and-Pa accounting office. You would think they should know better. The measures required to correct some of the deficiencies I saw are simple; almost trivial. The change in the corporate mindset is not.
Most likely their corporate culture has grown from decades when information security was an after-thought. I think they have been lulled into a complacent information-security sleep. Unfortunately, the wake-up call will come when there is a serious breach of security in the form of a leak of sensitive client information. Then the Privacy Commissioner and their professional association will throw cold water in their face in the form of sanctions and fines. Their professional reputation will take a serious hit.
At Trinus – where we perform Personal Information Protection Act (PIPA) Compliance and IT Security assessments – we see these types of deficiencies every day. Even our own policies, methods and procedures are under constant review as we raise the information-security awareness among our staff.
Privacy and information security is a new growth industry that has spawned from our complete adoption of technology that allows us to create, consume, and share data effortlessly and at will; it’s ubiquitous. But our corporate and professional attitudes have not kept pace. We still think of it as something that will befall the other guy. It’s time to wake up.