Is the open floor plan trend a data security headache?

Today, more and more businesses are foregoing the traditional design setup of cubicles and closed-off offices for an open floor plan. Companies like Facebook and Google market their open-office floor plans to potential employees, touting that the design allows workers to work closely together and fosters a culture of collaboration.

It’s a trend that isn’t going away anytime soon: according to the International Management Facility Association, 70 percent of American employees now work in open-office environments and Facebook is working on a Frank Gehry-designed expansion which will give the social network’s Menlo Park headquarters the distinction of having the world’s largest open-office floor plan when completed in Spring 2015.

[A view of the world from your office] 

One thing is for certain, having an open floor plan tips the balance between private and public and this shift majorly affects how proprietary and sensitive company information is protected. This raises the question: what data security threats does the open floor plan expose and how can security professionals manage this potential data security headache?

Threat of visual hacking

Visual hacking, or the act of viewing or capturing sensitive, confidential and private information for unauthorized use, is a major data security risk in the age of the open-office floor plan. With employees changing workspaces regularly, it is all too easy for vendors, third parties or even malicious workers to see confidential information or gain the credentials to penetrate further into the company’s databases from a device screen or hard copy file. With Google glass and the high quality of smartphone cameras, covertly capturing images of data or credentials becomes an easy feat.

Potential solutions: Data security and privacy teams should explore both company policies and physical solutions to combat visual hacking:  

• Protect against visual hacking from virtually every angle by coupling traditional privacy filters with 3M ePrivacy Filter technology, a software that alerts users when an over-the-shoulder onlooker is behind them and blurs the screen when a user looks or walks away.
• Encourage workers to be aware of their surroundings and angle device screens away from high-traffic areas.
• Instruct workers that all computer monitors and device displays should be shut down and password protected when not in use.
• Implement a clean desk policy and ensure that workers remove any files containing proprietary information that are in plain view immediately after use.

Lack of speech privacy

Just as the risk of employees seeing information that they shouldn’t in the open floor plan office, so too exists the possibility of employees overhearing conversations they shouldn’t.

[Punish careless employees to reduce security breaches, vendor says]

Potential solutions: In addition to educating employees on what types of conversations should be taken to a private location, security teams can protect speech privacy by taking the following measures:

• Utilize sound-masking technologies, such as white and pink noise machines, to drown out conversations by surrounding workers. 
• Set aside a room for workers to use for phone calls or small group conversations.
• Employ the use of professional instant message systems like Spark to allow employees to quickly touch base on items without verbally disrupting the office. 

Increased risk of device and document theft

When companies have an open floor plan environment, there will naturally be a high number of individuals in and out of the space during any given day. While this can benefit collaboration efforts in the organization, it also means a higher number of individuals in the vicinity of devices and documents containing confidential information. When these items go missing, it causes major data security issues. In 2010, Ponemon Institute conducted a study with Intel that looked at the cost of lost or stolen laptops for businesses. We found that while the majority of laptops were lost offsite or in transit/travel, 12 percent were actually lost or stolen in the workplace.

 [Watermark Retirement Communities suffers laptop theft]

Potential solutions: Security teams should take measures to not only protect against the physical theft of proprietary information but also ensure that if a device is stolen, the damage can be mitigated through additional security measures:

• Mandate that devices as well as bags, briefcases, folders or any other holder for confidential documents should not be left unattended for any reason.
• Equip office spaces with secure drawers or other storage areas where confidential documents or devices can be placed.
• Provide laptop security cable locks at workspaces.
• Furnish all devices with access to company information with anti-theft features like data encryption and remote wipe.
• Install cameras to monitor the open workroom to help hold workers accountable and in the worst-case scenario, identify any workers or vendors that may be removing devices or documents from a workspace.

In the age of the open office floor plan, company policies and procedures should define what information can be accessed where and when and help to safeguard from these new threats to data security that come along with the trend. Creating an ongoing communication and education plan for employees highlighting the potential data security risks associated with the open floor plan can serve to keep the topic top of mind. Coupling these with physical controls and software can help maintain a protected office environment. Particularly in larger companies, workers could find themselves completing tasks alongside different individuals on a daily basis and it is up to the data security teams to ensure that confidential and sensitive information remains secure in this new environment.

Larry Ponemon is chairman and founder of the Ponemon Institute, a research “think tank” dedicated to advancing privacy and data protection practices, and chairman of the Visual Privacy Advisory Council, a panel of privacy and security experts dedicated to bringing more awareness and attention to the issue of visual hacking.