When people think about information security, they usually associate it with computer security — something for computer people to worry about. However, many of the highest-profile information security incidents in 2005 were caused by flaws in physical security.
For example, Ford Motor Co. notified 70,000 people that their names, addresses and Social Security numbers had been taken by a thief who simply walked off with a computer. Similarly, Time Warner reported the theft of a computer tape containing sensitive information for 600,000 people. Flawed physical security practices put millions of people at risk of identity theft every year.
Whether you are a multiple listing service or association executive, broker, Realtor or other real estate professional, you personally should be concerned. If you are an agent or broker, you may store personal and financial information about the consumer and his or her family in your contact management system, in your MLS, or in a physical file. If you work at an association or MLS, you may have access to members’ sensitive personal, professional and dues payment information. Where is this sensitive information located? It’s stored in printed reports, voicemail, faxes, on computers and backup tapes, and on forms. Improving physical security in all of these areas can dramatically lower risk of information theft. For example:
Building and Work Area Security
The office should have a quality lock and a monitored alarm system. Areas that house sensitive information should be accessible only by signing in with a receptionist, and there should be no way to bypass a busy or indisposed receptionist. Non-employees should always be accompanied once they leave the reception area. Companies should screen and ideally supervise vendor and repair personnel. Non-employees should never be allowed physical access to employee computers or to the internal office network by plugging in their computer or using the wireless network. Employees should be trained to challenge unfamiliar visitors in a professional manner and to be watchful of their activities.
Fax machines should be located in an area requiring need-to-know employee-only access. File cabinets should always be locked and in secure areas. Documents with sensitive information should never be left unattended on desktops; they should be locked in a drawer when not in use, and drawer keys should be secured. These documents should be kept no longer than needed, and should be disposed of using a crosscut shredder.
Computer Theft or Misuse
Do not leave a laptop unattended – but if you must, use a laptop cable to make it more difficult for someone to walk away with it. This is especially important when traveling. Workstations should also be cabled to furniture to deter theft. Servers and telecommunications equipment should be in a locked case – in a locked rack – in a locked room. Remember: someone with physical access can bypass even the best technical countermeasures.
Portable Electronic Media
Always store portable media such as backup tapes, CDs, disks, external hard drives and flash memory drives in a secure locked location. Encrypt data on these media if possible. Dispose of electronic media securely — always use software utilities designed to overwrite sensitive information on disks and tapes, and shred data CDs.
About keys: Even if you collect keys when employees leave, keys are easy to copy. Since it is expensive to replace locks when an employee leaves, it is done rarely, increasing security risks. Ideally, use a magnetic badge system that individually tracks those entering sensitive office areas. That way, when an employee leaves, you simply disable their badge.
Look around your office for all the places where you store sensitive information, and consider taking the above steps to protect that information. You don’t have to be a “computer person” to help protect sensitive information from misuse.
Matt Cohen is chief technologist for Clareity Consulting, an information technology consulting company for the real estate industry.
What’s your opinion? Send your Letter to the Editor to email@example.com.