Is the open floor plan trend a data security headache?

While this photo shows an office worker using a headset, the new version of Nuance's Dragon NaturallySpeaking supports built-in microphones on notebooks.

While this photo shows an office worker using a headset, the new version of Nuance's Dragon NaturallySpeaking supports built-in microphones on notebooks.

Today, more and more businesses are foregoing the traditional design setup of cubicles and closed-off offices for an open floor plan. Companies like Facebook and Google market their open-office floor plans to potential employees, touting that the design allows workers to work closely together and fosters a culture of collaboration.

It's a trend that isn't going away anytime soon: according to the International Management Facility Association, 70 percent of American employees now work in open-office environments and Facebook is working on a Frank Gehry-designed expansion which will give the social network's Menlo Park headquarters the distinction of having the world's largest open-office floor plan when completed in Spring 2015.

[A view of the world from your office

One thing is for certain, having an open floor plan tips the balance between private and public and this shift majorly affects how proprietary and sensitive company information is protected. This raises the question: what data security threats does the open floor plan expose and how can security professionals manage this potential data security headache?


Threat of visual hacking

Visual hacking, or the act of viewing or capturing sensitive, confidential and private information for unauthorized use, is a major data security risk in the age of the open-office floor plan. With employees changing workspaces regularly, it is all too easy for vendors, third parties or even malicious workers to see confidential information or gain the credentials to penetrate further into the company's databases from a device screen or hard copy file. With Google glass and the high quality of smartphone cameras, covertly capturing images of data or credentials becomes an easy feat.


Potential solutions:  Data security and privacy teams should explore both company policies and physical solutions to combat visual hacking:

  • Protect against visual hacking from virtually every angle by coupling traditional privacy filters with 3M ePrivacy Filter technology, a software that alerts users when an over-the-shoulder onlooker is behind them and blurs the screen when a user looks or walks away.
  • Encourage workers to be aware of their surroundings and angle device screens away from high-traffic areas.
  • Instruct workers that all computer monitors and device displays should be shut down and password protected when not in use.
  • Implement a clean desk policy and ensure that workers remove any files containing proprietary information that are in plain view immediately after use.

Lack of speech privacy

Just as the risk of employees seeing information that they shouldn't in the open floor plan office, so too exists the possibility of employees overhearing conversations they shouldn't.

[Punish careless employees to reduce security breaches, vendor says]

Potential solutions: In addition to educating employees on what types of conversations should be taken to a private location, security teams can protect speech privacy by taking the following measures:

  • Utilize sound-masking technologies, such as white and pink noise machines, to drown out conversations by surrounding workers. 
  • Set aside a room for workers to use for phone calls or small group conversations.
  • Employ the use of professional instant message systems like Spark to allow employees to quickly touch base on items without verbally disrupting the office. 


Increased risk of device and document theft

When companies have an open floor plan environment, there will naturally be a high number of individuals in and out of the space during any given day. While this can benefit collaboration efforts in the organization, it also means a higher number of individuals in the vicinity of devices and documents containing confidential information. When these items go missing, it causes major data security issues. In 2010, Ponemon Institute conducted a study with Intel that looked at the cost of lost or stolen laptops for businesses. We found that while the majority of laptops were lost offsite or in transit/travel, 12 percent were actually lost or stolen in the workplace.

 [Watermark Retirement Communities suffers laptop theft]

Potential solutions: Security teams should take measures to not only protect against the physical theft of proprietary information but also ensure that if a device is stolen, the damage can be mitigated through additional security measures:

  • Mandate that devices as well as bags, briefcases, folders or any other holder for confidential documents should not be left unattended for any reason.
  • Equip office spaces with secure drawers or other storage areas where confidential documents or devices can be placed.
  • Provide laptop security cable locks at workspaces.
  • Furnish all devices with access to company information with anti-theft features like data encryption and remote wipe.
  • Install cameras to monitor the open workroom to help hold workers accountable and in the worst-case scenario, identify any workers or vendors that may be removing devices or documents from a workspace.

In the age of the open office floor plan, company policies and procedures should define what information can be accessed where and when and help to safeguard from these new threats to data security that come along with the trend. Creating an ongoing communication and education plan for employees highlighting the potential data security risks associated with the open floor plan can serve to keep the topic top of mind. Coupling these with physical controls and software can help maintain a protected office environment. Particularly in larger companies, workers could find themselves completing tasks alongside different individuals on a daily basis and it is up to the data security teams to ensure that confidential and sensitive information remains secure in this new environment.

Larry Ponemon is chairman and founder of the Ponemon Institute, a research "think tank" dedicated to advancing privacy and data protection practices, and chairman of the Visual Privacy Advisory Council, a panel of privacy and security experts dedicated to bringing more awareness and attention to the issue of visual hacking.

Join the CSO newsletter!

Error: Please check your email address.

Tags Googlephysical securitysecurityFacebookprivacy

More about FacebookGoogleIntelWatermark

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Larry Ponemon

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place