When paperwork is paperwork! | Smart Thinking Solutions

Last week I wrote about the paperwork associated with a well-run BYOD project and policy. Although I spoke about paperwork in reality – except for that copy on the office shelf – the paperwork is probably just a collection of M365 and PDF files, saved in the cloud.

However, sometimes you do commit important information to paper. The question then is, “what happens to that paper?”

The following article started life a couple of years back but it is still relevant today. My current IT and Cyber Security Audit has a section that deals with the use and disposal of paper that contains sensitive information, and has to be accounted for.

There is only so much budget for your cyber security, so where you spend it needs to give you the best protection possible. When I am talking to clients, we quickly tick off anti-virus, hopefully a ransomware compliant back-up and possibly some advanced threat protection, and they think they are protected.

My opening gambit is then to take the management team through what Triple A, (Authentication, Authorisation and Accountability), means for their organisation’s cyber security. A whiteboard is helpful here as we build a model of their operation and the information within that, that needs managing.

Then we talk on.

We quickly get to staff training so the technical cyber security defences will be supported by a vigilant team. Then on to working from anywhere and that leads on to bring-your-own-devices and how the information the team has on those devices needs special attention. Read last week’s post on portable USB storage, if you want to know what I say about that and working from anywhere.

Then we come to something that often surprises the client – paper.

The dream of a paperless office has been spoken about, written about and promised for many years, but it never seems to get here. I get pretty close, thanks to OneNote, my smartphone’s camera and the functionality in the Microsoft 365 for Business app. Paper that is scanned into my system this way (business and personal) is saved into our business security structure. The paper is then shredded and recycled.

Then there is paper outside the office.

I carry an A5, spiral bound notebook, as I cannot completely get away from paper. It is spiral bound to make it easy to photograph the pages and then destroy them. The notebook drops easily in my bag or even pocket keeping those confidential notes – confidential.

Buy a shredder!

Minister sorry for throwing work documents in park bin | The Guardian

Diana (my partner at Smart Thinking and wife) and I watched a lot of television after the Thursday when the death of Queen Elizabeth II was announced. We have a TV in the office. It was Diana who spotted Clive Myrie with his notepad on display whilst he was interviewing people outside St James’ Palace. That prompted this blog post. Now in my photo you cannot read the writing, I have blurred it, we were not watching in HD and I am sure there is nothing sensitive there, but it illustrates how, when under pressure, one of your team may carelessly give secrets away.

It happens to government papers.

Caught on camera: why Downing Street papers keep getting papped | The Guardian

There has been research for a technical solution to this type of data leak (Fujikawa et al., 2012), but in this case training your team and having policies and procedures in place is probably the best solution.

One more thing about paper before I conclude. We work for a firm of solicitors who wanted to reduce costs on printers. We had to put in place a scheme that did not allow sensitive printouts to sit in printer hoppers for anyone, unauthorised staff or unauthorised visitors, to read.

So, the boundaries of your cyber security extend as far as you need them to and must include not only technical solutions but training, policies and procedures.

Taking a break

Producing two in-depth, entertaining and informative articles each week about cyber security takes time and creativity. I have a OneNote notebook full of ideas, I read about the current threat landscape, I discuss cyber issues with clients and colleagues and then I have to sit down and in about 500 words get my ideas across in non-technical language. Images need to be sourced, references cited and then the whole lot goes for editing and then we publish. To keep the quality up I need a break.

We will be back in January 2025, until then enjoy the festive season.

Clive Catton MSc (Cyber Security) – by-line and other articles

p.s. Remember the whiteboard mentioned, photograph it, save the image somewhere secure and then thoroughly clean the whiteboard!

References

Fujikawa, M., Kamai, R., Oda, F., Moriyasu, K., Fuchi, S., Takeda, Y., Hikaru, M. & Terada, K. (2012). Development of countermeasure systems for content leaks by video recording/camera shooting. In International Conference on Information Society (i-Society 2012) (pp. 76-81). IEEE.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.