This blog post isn't technical in nature or even associated with VirusScan Enterprise. I had to share this though because of it's Security value, and how it underscores that PEOPLE are the weak point when securing an infrastructure.

 

I was accompanying my significant other to a doctor appointment (nothing serious); it was the second visit but first time I had been to the facility. We were early for the 1pm appointment as you might expect for doctor appointments, and it was evident that we were the first appointment after lunch because NOBODY was at the front desk or in the foyer area. That's not the issue, but it is a Physical Security issue to leave your building open when nobody is manning the front desk!

 

Still, I stood at the front desk expecting that someone would be returning any minute now... and waited. It was easily 5+ minutes before a body arrived. Ample time for someone to take advantage of what I noticed while standing at the front desk -

There were sticky notes containing USERNAME and PASSWORD combinations pasted to the desk, the monitor (which was angled so that Customers could see it), and on the wall. My brain quickly went through all the possible acts of evil someone could do with this information, and how simple it would be to snap a hi-res digital photo in an instant, to later use that info at leisure.

 

Would you be surprised to see something like this in your environment? Lets hope so.

 

The person who returned to the front desk was a young male, I would guess early twenties. Very friendly and courteous. Completely unaware of the dangerous practice they were engaging in, which realistically threatened their job, the company's data and reputation, and the personally identifiable information of all their customers.

 

Do you have your own "True Story - The seed of a security breach" to share?

Do you already have Security training courses for your employees that cover this sort of thing?  I was certainly surprised to find a medical practice that does not. I guess I thought all the news surrounding company data breaches would give people a clue as to the priority and importance, and that industry standards for securing and handling medical information were actually being used. I'm so naive, sometimes .