Could a Clean Desk Policy Have Prevented Hawaii’s Terrifying False Alert?

1/30/2018

Messy DeskSmile. Click. Gasp.

In one innocent snap of an AP photographer’s camera, an operations officer for Hawaii’s Emergency Management Agency (HEMA) sinks from vigilant public servant to pitiful poster child of the Clean Desk Policy.

The fall from grace occurred last July, during a Boston Herald interview aimed at highlighting Hawaii’s proactive emergency-readiness program. (Hawaii is the first state to prepare residents for the possibility of a North Korean missile strike).

Apparently to tout its diligent public safeguards and perhaps humanize the agency itself, a HEMA official posed proudly for a photo inside the agency’s ‘operations room,’ surrounded by battery of bustling warning screens and data-packed displays.

Unfortunately for HEMA, there was something else in the frame: passwords–apparently to the emergency warning system. There, plain as day, on sticky notes, taped to two computer monitors.

The damning photo resurfaced on Twitter recently, following the island state’s terrifying January 13, 2018 ‘false alarm’ episode, in which a message sent statewide read “BALLISTIC MISSILE THREAT INBOUND TO HAWAII. SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL.” 

Whether the leaked password or HEMA systems pictured last July were related to January’s apocalyptic (false) alert has not been confirmed.

But the fallout has clearly gained the attention of state, Federal and military officials, while casting serious doubts upon HEMA’s cybersecurity practices.  

Security-First Reminder

Obviously, the incident serves as a wake-up call to states and agencies working to improve emergency (and perhaps cybersecurity) preparedness.

Astute small-business leaders, however, will recognize the slip-up as an opportunity to revisit their own online and physical security practices–maybe even compelling enough to dust off and update their firm’s clean desk policies (CDP)–a step that companies of every size could probably benefit from.   

Clean Desks, Clear Screens, Less Risk

Clean desk policies have been around for a long time, first used as a management tool to instill in corporate employees a sense of workplace pride and professionalism. Leaders also intended clean desk policies to create a sense of organizational efficiency and competence during visits by customers and partners.

Today, clean desktops, clean screens, and similar workspace security measures are being driven by increased emphasis on breach prevention, fueled by news reports and security standards like
ISO 27001 and ISO 27002.

The aim, of course, is to help ensure that sensitive information, either in digital and physical form, and assets, such as laptops, tablets, etc., are not left unprotected at personal and public workspaces when not in use.  In other words, greater security and compliance with privacy regulations.

Common-sense elements of an effective clean desk policy include ensuring that employees, government and otherwise:

  • Shut down and secure workstations when unused or unattended
  • Stow all documents and electronic media when the workday is over
  • Close and lock all file cabinets containing restricted or sensitive information
  • Properly shred or otherwise dispose of materials that are no longer needed

Also included is keeping work areas free from paper scraps and sticky notes containing login credentials and other sensitive information–a precaution now indelibly seared into HEMA’s collective consciousness?

If you’re not familiar with the latest security standards and best practices (such as clean desks and screens), an IT Managed Services Provider (IT MSP) like TeamLogic IT can be a tremendous resource for strategy and advice, including helping you custom-tailor IT policies and procedures to your company’s needs.