In a corporate world seemingly already overwhelmed with a variety of policies – HR, Safety, Infotech, HSE, to name just a few – it may seem the addition of the Clean Desk Policy (CDP) is one more in a long list of policies that employees in an organization are required to follow.
Not so, especially when one considers that the protection and safeguarding of organizational data – something that a CDP can facilitate – is the prime responsibility of every employee.
Techtarget defines the CDP as a corporate directive (1) specifying how employees should maintain their desks (throughout) and at the end of the workday, considering that they deal with sensitive documents and information. By removing all papers and electronic media and by logging off from company networks, employees help not just in presenting a professional image to business visitors, but also, more importantly, ensure they comply with the organization’s security and privacy policies. A typical CDP can therefore include protocols and practices covering:
- Handling electronic devices, drives, and storage of electronic media
- Physical storage and access to drawers, filing cabinets, closets, etc
- Handling of sensitive documents and hard copies of documents
- Restricted and unnecessary printing of files and documents
- Across-office-hours clutter-free desks (and not just at close of the working day)
- Desk sharing, hot desking and hybrid/remote working
The benefits of a CDP
In addition to benefits by way of safety and appearance, a well-implemented CDP, with management support, can provide several advantages to an organization. These could include:
- Tangible benefits in terms of work efficiency, as clean, organized desks are known to make for higher levels of performance
- Creation of a mindset that prompts employees not to procrastinate, but rather to complete tasks on time
- Reinforcement of protocols that ensure environmental benefits with the elimination of clutter, and restrict the unnecessary printing of documents
- Cost savings from more productive use of resources
- Across the board cyber security protocols that include authorized, need-to-have-basis access, password management, system authentication, handling of organization devices both onsite and during business travel et al
- Compliance with a number of rules and regulations like GDPR, ISO 27001/17799, etc.
Implementing a good CDP
CDPs are often looked at in some circles as being time-consuming, hard to implement, a challenge in today’s world of shared workspaces and remote working, a waste of time that could otherwise be spent more productively, and a policy that is relatively disregardful of employee freedom. In fact, a well-implemented CDP, with management support and proper reinforcement, can prove to be an organizational boon that positively impacts onsite, offsite, and at-home working. Implementing a good CDP would involve the definition of several protocols that cover the storage and access of sensitive physical documents including access cards etc, the creation of a list of permissible devices, the protocol for the use of organizational devices, and the judicial use of electronic media, to eliminate or reduce printing of documents. A good CDP is always backed by a sustainable implementation plan that includes:
- Motivation of employees through competitions and acknowledgments of compliance and best practices
- Encouraging employees to report suspicious activity and security lapses
- Gemba walks by senior management at periodic intervals to ensure compliance, and
- A media plan that informs and encourages following of the CDP by the employees
CDP and Cybersecurity
The infamous security lapses at Apple (2), where an employee of Chinese nationality took thousands of photographs of Apple’s self-driving vehicles inside the tech giant’s building, is often cited by advocates of the CDP. Reported by a vigilant colleague, the employee was apprehended just before he left for China, but not before he was successful in gathering a number of sensitive photographs that could have been devastating to Apple’s interests. The incident, one amongst many in the corporate world, makes the case for the CDP as an integral part of the organization’s cyber security plan.
From a custodial point of view, the deployment of a CDP as part of the organization’s security posture is more than justified when one considers that over 55% of all theft at work takes place within the victim’s work area (3). Costs of corporate espionage and business-critical data theft are staggering, to say the least – G4S (2) puts the figure at $1.1 trillion annually for corporate espionage and approximately $400bn a year for remote critical data theft.
Since a significant number of protocols in a CDP cover organizational devices and their use, many organizations have included a Clean Desk Section in their Information Security Policy, rather than have a separate policy.
Enough has already been said about how a strong cyber security posture covering user authentication (4), use of biometrics, strong password management, identity access management (5), and other cyber security measures can benefit organizations by helping prevent devastating losses due to business data exfiltration. So too with insider threats (6) – one of the main areas that CDP addresses. With such immense benefits – from business-critical data safety, loss prevention, employee awareness and discipline, organization image, and more – accruing from its effective deployment, it’s, therefore, a given that CDP becomes an integral part and a must-have for any organization’s cybersecurity posture and setup.