In each example, an inquisitive fellow commuter picked up the folder, took one look at the contents and promptly handed it to a newspaper. In each case, the newspaper in question was happy to return the folder to its rightful owner after having used the information to craft a front-page news story that was both embarrassing and reputation damaging for the companies ultimately responsible for managing the information.
On reading the subsequent news stories, no doubt many people wondered how anyone could have been so careless. But just how many of us undertake work while commuting with little regard for the security of the information they are working These few high-profile incidents may have grabbed the headlines but during the journey to and from work places every companys information at risk. Employees are leaving files on trains, laptops in bars, and dropping memory sticks in car parks. Then, theres the employees who inadvertently display company information to fellow commuters and think that the commuter train is the ideal location to talk about sensitive company business on the phone.
Our latest research reveals that two thirds of Europes office commuters have no qualms about peering across to see what the person sitting next to them is working on; and more than one in ten (14 per cent) has spotted confidential or highly sensitive information.
The growing use of mobile devices such as smartphones, tablets and laptops has exacerbated the trend of working on the move. But paper documents appear to remain the most vulnerable. They are easily forgotten or disposed of carelessly.
For employers and their lawyers, this type of inadvertent disclosure is a grey area, particularly if the information spotted or overheard turns out to be rather useful competitive intelligence.
The gathering of competitive intelligence is a legitimate business practice, but the line between what is legal and what is ethical can be a fine one. Guidelines produced by law firms often focus on formal anti-trust activity and the kind of information that employees can and cannot solicit or accept from competitors, suppliers or customers; glossing over the far murkier waters of what to do with information that is obtained by accident. That is, if leaning over someones shoulder to read what they are doing or eavesdropping on a conversation can ever be said to be accidental .
Those brave enough to venture into this field find themselves having to trust employees to understand that some behaviour, while not exactly illegal, is still unethical, and honour and integrity should prevent them from taking some of the opportunities they may find themselves presented with.
Most employees believe that information exposed in a public area is fair game, and keeping it safe is entirely the responsibility of the person failing to keep it secure. There are practical things an employer can do to protect the organisation and its employees from such activity. These include proper education on information security for all employees, a shared sense of data responsibility and equipping employees with the IT tools to securely manage and handle information while travelling (such as passwords, device encryption, privacy screens and ensuring that sensitive information is only sent over secure virtual networks). It is particularly important not to forget about paper hard copy documents can be taken out of the business without anyone knowing theyve gone or whos got them.
Accidents will happen, but you can keep them to a minimum by educating, supporting and enabling your employees. At the end of the day, most people are honest and want to do the right thing; people just get tired or rushed or distracted and then it goes wrong. None of this is new of course. Wartime propaganda urged those at home not to discuss the movements of troops or supplies for fear of yielding an advantage to the enemy: loose lips sink ships and careless talk costs lives and many variants thereof were memorable slogans. With the language of military engagement so often used for business purposes, perhaps firms should think of similar campaigns to keep their critical information safe when it’s on the move.
Christian Toon is Head of Information Risk, Europe, at Iron Mountain.