Confidentiality

In the course of our work we come across amazing personal, private and corporate information. If this information is released it may lead to embarrassment or market share loss for our employers.
[This is also sometimes refered to as POPI: Protection Of Proprietary Information.]

Trash//Dumpster Diving: confidential information in the trash. I have taken the time to check the dumpster and found sheafs of documents on the firms new products as well as their special pricing schedules. When reported it was quickly covered up and the employee(s) responsible were "counseled". See also Metnick's books, among others, on Social Engineering.

Shredding: I have suggested and implemented shredding programs at a few firms. special locking bins where the paper 'checks in but doesn't check out' until a bonded shredding firm comes by to pick them up for destruction. However, I have found companies or departments with confidential shred baskets exactly the same as and next to the recycling baskets but with the word "Confidential" written in Magic Marker on the side...the janitors each night simply either included it in the regular trash or in the recycled trash...never understood or cared that they were to place that material in the special lockable bin at the loading dock. 
[We once found top secret documents blowing down the street, 4 block from our site. Seems a homeless man picked up a trash bag and it broke open on his shopping cart...opps, janitors were throwing TS docs into regular trash. Exciting times.]

Whiteboards: I have found amazingly detailed confidential sales, product development, roll out and scale up strategies and plans left on whiteboards in most firms I've worked. Many are visible through the ground floor windows: visible to any passerby. In other areas they are also visible to visitors, contractors and employees from other firms and in-house employees without a 'need to know.' At one firm we had a 'Technology Summit' where all our competitors were invited and such plans were clearly left visible to all, as the visitors went to the rest room or to the balcony to smoke--until I erased them (surreptitiously mind you, MYOB, "just a guard")

Wireless Presentation equipment and scanners: I am as you may have noticed, a weird guard. I have walked the campus of firms with a radio scanner and once found what I thought was a listening device transmitting a confidential meeting discussion in real time! I located the talk and found that the executive was using a wireless presentation cordless mic to do the presentation. I picked it up over 200 yds away. [Now, I know you understand that this means anyone, sitting in a car, down the street can listen in too...competitive intelligence (CI) anyone?]
I had forgotten STFU/MYOB for a moment (and was soooo impressed with myself) that during the talk's break time I approached the speaker, quietly and mentioned what I had discovered. She, a VP, became livid (really nice shade of red) "How dare you listen into our talk! I'll have your job!" (Please take it!) "Ma'am, I'm in Security, we do this sometimes to ensure there are no listening bugs in the meeting rooms. Sorry if I disturbed your meeting." This was immediately reported to my boss--who had some appreciation of what I was doing...I was told to cease doing it anymore.[ BTW, wireless presentations; audio and slides both can be gleaned from the ether via most of todays notebooks.]

WiFi Networks: I have also walked the campuses with one of those cheap wi-fi detector units. I have found and reported to IT the existence and location of unauthorized and unencrypted wi-fi networks set up by employees (not even WPA or a MAC address list!). ..including one in the IT department set up by the Assistant Director for his team. I mean really? Dude?!

Tempest: It is NOT up to us to deal with this level of threat. STFU/MYOB, weird after hour contractors in the area should always be ID'd. Careful, way #326 to lose your job. [Beside there are cooler newer techs for listening to keyboard stokes emissions, etc.]

Bulletin Boards: (cork ones, not BBS's, although that is possible too.)  Great source of personal and company confidential information, if one can read between the lines.

Company Website: Often give away lots of useful CI information, ex: names of company execs that can be cross referenced with various search engines.

Set up a "Google Alert" for the company's name to your email. I have found confidential info posted by disgruntled employees...who were still working for that company, although not for long.

Facebook: OMG, spill all the personal beans on all your fellow employees, with pictures of you, them and your company restricted areas and its indexed by Google and Facebook both!

Fax machines/Photocopiers: Often seriously confidential and/or compromising docs and faxes are left on the machines all day and night....until thrown away or recycled...or picked up by accident by another employee and shared with their friends...and the shop steward. Interesting times! :)

Computer terminals Opps, employee forgot to log off. Opps, password is on a post it note. Opps, your porn surfing visible to folks passing in the hallway.

Notebooks/Laptops/Netbooks/Blackberries/Iphones: Opps forgot it in the taxi or airport, no full disk encryption, oh well, the thieves will probably just reformat the disk and sell it...no worries, mate! "Now, how do I get a replacement at company expense?"


Gossip: " I probably shouldn't say this, but you won't tell a soul, will you?" Did you know Marsha in Accounting is sleeping with John the VP of  Marketing? Bob is gay? Billy is wasted on weed every day? The company just developed a cure for malaria? We are all going to be laid off? ETC, ETC

Lunch room discussions of confidential information in hearing of visitors, contractors and subordinates...and guards

Insecure Janitorial Cleaning Techniques:

• Leaving ALL the offices on the floor unlocked and open while they make a circuit, doing 1st trash, then vacuuming, then dusting, then dinner and breaks before relocking again at 1am. Well, that's what we have guards for! Right, 3 guards for 12 buildings, they will be sure to prevent anyone from gaining access to your office on the 10th floor at 8:20 PM. Especially when the janitors bring their kids and friends to work and employees bring their buddy while they catch up after hours.
• Janitors often leave perimeter doors wide open while they empty the trash.
• Janitors will open any office or restricted area to which they have a key for anybody who seems to belong in the building. They too are afraid of angering the wrong person and losing their job!
• They leave their master keys in their work smock in the unlocked janitorial closet until they come back on duty.

Guard company information: Your contract guard company's business is not to be shared with clients. For example: you make $11.00 an hour; the client is charged $23.00/hr. Secret guard company information right there. Check your "Security Officer Handbook"...you did read it didn't you?


Your Daily Activity and Incident Reports: Store these in a locked area. The report on finding cocaine in the lunch room or that Alice was fired for threats should not end up as rants on Craigslist.
Your patrol times and routes, becoming public knowledge endangers you and the client.
[Those 2 readers of this blog may remember that I was once written up for not having a clean desk...(however he meant housekeeping not security concerns.) Note that the security office was not on the master key, was on a key restricted to security managers, was not visible from outside the building, and the janitors cleaned the office only during the day when security management was present and confidential information was covered up. (Excuses, excuses, sorry Master Chief)]

Your personal information: You being into shooting guns at the range will seriously scare some employees. [Sure tough guy, you got the right, but they can make your life difficult at work...STFU.]
Do you want folks to know where you live, if you might have to arrest them or their friend? I had my car keyed by an employee fired for embezzlement when I was a very minor part of the investigation. Management said to me "too bad, so sad, you car is not covered by our insurance."
Your use of the company computer can be tracked back to you. Careful if and where you surf the net. I busted a few folks for porn with the simplest forensics. I didn't need Encase.
Turn off the general GPS on your cell phone. (E911 GPS should be on.) Don't want folks tracking you on patrol to evade, avoid or attack you on site.
No job related tweets or blogs, huh! :)

Access control: One main  idea justifying guards is that because not all confidential information can be locked up at all times, except perhaps in Langley, you must prevent unauthorized folks from being able to get into the buildings or special areas to browse, use their cell phone cameras, flash drives or the company fax machines and photocopiers to steal confidential and private data. You keep strangers out of your home don't you?


Counter Intelligence: The other CI:

• Be alert to cars parked on your streets after hours with an occupant or empty. Note plates in your notebook. They can be picking up transmitted information from your facility via audio or digital bursts. cool spy stuff...if your facility warrants it. If it makes copy machines, I wouldn't sweat it.
• If employees tell you of a great interview they had for a new job...know what a false flag recruitment is.
• Watch for photographers in the neighborhood. That red winged hawk might not be what they are really photographing.
• Sally in the mail room is driving a new Jag? Might be she has another source of income...like selling your company secrets.
• You have a chance here to let your paranoia really go with this stuff and get fired in a quick and spectacular manner with a reputation as a psycho security freak. STFU/MYOB or ...work for the government.

COOL! I can make some money! Well probably not. 1). they will not pay you, just take it and/or tell you to take a hike and/or threaten to hurt you and your family. 2) They will call your company and tell on you--very common and  lastly 3) They will  now own you for the rest of your life or until you make a better sacrificial pawn than a 'secret agent'. Much less glamorous than in the movies. Don't forget the 10-20 years in prison! Having fun yet? Read a John le Carré novel instead

STFU (Shut the F*@k Up!): You must never share the information you discover with friends or family or other guards. [You can be personally sued, fired, arrested and jailed.]
They can't keep it secret...they will not even remember you asked them to keep it confidential. The psychological pressure of "secrets" is enormous and people must release it to reduce that pressure or to seem important.
Employees who work with confidential information daily take it for granted, they do not really see the need for secrecy.Loose lips sink ships!

Remember reporting your findings to management is both necessary and potentially dangerous to your career...some folks will think you are the threat because they do not believe in CI. Check six!
"Gee wiz boss, shud dat info be left out in the open?" The boss handles it and is the hero. You keep your job. This is part of  "managing up."