Sat in the coffee shop today, as one does as CEO of a huge multinational corporation does (let me know if you see him!), and surprising to hear the number of different conversations that were going on.  On my left were a couple – boss and employee, having a performance review.  A group on another table were discussing sales plans for 2014. I'm pretty sure at least two tables were being used for job interviews and were getting shifty looks from staff for not buying bucket loads of coffee, and then I decided to write this post.

Since the coffee culture emerged 10-15 years ago in the UK, it's kind of the new and trendy thing to do – why not decamp from the offices and have your meetings in a cosy coffee shop?  After all, they're full of other people  doing exactly the same thing, surely?

It's odd that some people think it's OK to sit in a completely untrusted environment and start talking sensitive matters, and not even keeping particularly quiet.

It's a good job people don't sit in coffee shops and discuss information security plans.  It's a good job _The Cloud and BT Openzone are secure and nobody could ever listen in on them.  The proverbial “not” of course applies to those last two sentences.

It reminds me of those bars in Washington DC, that one would presume is full of government officials so it's perfectly OK to strike up a conversation about national security.  At least that's what I was hearing when I was over there.

Doctors and nurses in bars outside hospitals seem quite content to talk about “patient X”, but using the patient's real name instead.

From the inside looking out, perhaps these people presume there is safety in numbers, that it's a trusted environment because it's a bar, restaurant or coffee shop they've been to before?  But from the outside looking in, and as a seasoned and somewhat frazzled security consultant, it's downright foolish.  We've all signed confidentiality agreements with our employers that expressly forbid us discussing work matters outside of work, especially in untrusted territory, and legislation binds us from discussing personal matters in public.

Under the Human Rights Act, we all have a right to privacy.  That includes companies respecting that right for privacy and not discussing private and/or personal matters in public.  For example – a salary review in a public place breaches Human Rights Legislation.  Salaries are considered a private affair.  I wonder if people know they're breaching legislation?

Something's broken, and it reminded me of the Careless Talk Costs Lives posters that circulated during the last world war.  The only difference is now the “war” is a corporate war, or states trying to steal each other's secrets, but the principle is the same.

It's about time companies took their employee security awareness programmes to the next level – information, be it verbal, written or electronic, MUST be kept inside the corporate perimeter, otherwise there's no way to control it once it's in the open.

This includes coffee shops, and convincing smaller businesses that there is indeed a very real threat of both planned, and opportunistic espionage.

Aha… “double expresso for Tim.”  I just love it when Starbucks borrow my personal details just to serve me a drink.  Over and out.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top