Cyber Security and a Piece of Paper

It all starts with a bit of paper…

There has been a lot of coverage of the Conservative Government’s on and off plans for HS2 – this article is not about that, but how this whole debate started. It started with a photograph of discussion papers that should not have been released. (Topham and Quinn. 2023).

…after publication of a photographed document suggesting further cuts were under discussion.

Gwyn Topham and Ben Quinn. The Guardian. 14 Sep 2023

About a year ago I wrote a piece about how the casual security applied to paper can cause issues. It seemed a suitable time to revisit that article.


Where are the boundaries for your cyber security?

There is only so much budget for your cyber security, so where you spend it needs to give you the best protection possible. When I am talking to clients, we quickly tick off anti-virus, hopefully a ransomware compliant back-up and possibly some advanced threat protection, and they think they are protected.

My opening gambit is then to take the management team through what Triple A, (Authentication, Authorisation and Accountability), means for their business operation and cyber security. A white board is helpful here as we build a model of their operation and the information within that, that needs managing.

Then we talk on.

We quickly get to staff training so the technical cyber security defences will be supported by a vigilant team. Then on to working from anywhere and that leads on to bring-your-own-devices and how the information the team has on those devices needs special attention. Read last week’s post on portable USB storage, if you want to know what I say about that and working from anywhere.

Then we come to something that often surprises the client – paper.

The dream of a paperless office has been spoken about, written about and promised for many years, but it never seems to get here. I get pretty close, thanks to OneNote, my smartphone’s camera and the functionality in the Microsoft 365 for Business app. Paper that is scanned into my system this way (business and personal) is saved into our business security structure. The paper is then shredded.

Then there is paper outside the office

I carry an A5, spiral bound notebook, as I cannot completely get away from paper. It is spiral bound to make it easy to photograph the pages and then destroy them. The notebook drops easily into my bag or even pocket, keeping those confidential notes – confidential.

Buy a shredder

Minister sorry for throwing work documents in park bin | The Guardian

It happens on T.V.

Diana (my partner at Smart Thinking and wife) and I have been watching a lot of television since last Thursday, when the death of Queen Elizabeth II was announced. We have a TV in the office. It was Diana who spotted Clive Myrie with his notepad on display whilst he was interviewing people outside St James’ Palace. That prompted this blog post. Now in my photo you cannot read the writing as I have blurred it. We were not watching in HD and I am sure there is nothing sensitive there, but it illustrates how, when under pressure, one of your team may carelessly give secrets away.

paper is a cyber security risk as well

It happens to government papers

Caught on camera: why Downing Street papers keep getting papped | The Guardian

There has been research for a technical solution to this type of data leak (Fujikawa et al., 2012), but in this case training your team and having policies and procedures in place is probably the best solution.

One more thing about paper before I conclude. We work for a firm of solicitors who wanted to reduce costs on printers. We had to put in place a scheme that did not allow sensitive printouts to sit in printer hoppers for anyone, unauthorised staff or unauthorised visitors, to read.

So, the boundaries of your cyber security extend as far as you need them to and must include not only technical solutions but training, policies and procedures.

Clive Catton MSc (Cyber Security) – by-line and other articles

p.s. Remember the whiteboard mentioned in paragraph 2, photograph it, save it somewhere secure and clean the whiteboard!

References

Fujikawa, M., Kamai, R., Oda, F., Moriyasu, K., Fuchi, S., Takeda, Y., Hikaru, M. & Terada, K. (2012). Development of countermeasure systems for content leaks by video recording/camera shooting. In International Conference on Information Society (i-Society 2012) (pp. 76-81). IEEE.

Topham, G., & Quinn, B. (2023). HS2 at risk of further cuts to route north of Birmingham amid budget squeeze. The Guardian. https://www.theguardian.com/business/2023/sep/14/no-10-refuses-to-confirm-hs2-will-run-to-manchester-sunak-hunt

Further Reading

Why you should care about the TLA AAA!

If you must use portable USB drives, then you must read this…

CyberAwake

This article was originally published on CyberAwake our cyber security awareness training project with F1.

Where are the boundaries for your cyber security? – CyberAwake

Featured Photo by Linda Eller-Shein