What does a Clear Desk Policy involve, and what threats does it help counter?

A clean desk wouldn’t seem to have much to do with cybersecurity. Yet in between the coffee cups and crisp packets, desks can be a treasure trove of personal information. Everything from print-outs to personal effects can provide clues for would-be cybercriminals, and see the physical world overlapping with the digital one.

Keeping important information in physical rather than digital form can make it more secure in some cases, but only if you approach it in a secure manner. Here’s how a Clear Desk Policy relates to your IT systems, the benefits it can have for cybersecurity, and a few suggestions as to whether it’s the right fit for you.

What is a Clear Desk Policy?

A Clear Desk Policy instructs employees to clear their desk or workstations of all personal belongings when they leave. This includes anything that wasn’t on the desk when they started using it, and applies whenever they leave the desk for an extended period of time. Ideally, no personal effects or sensitive documents should be left unattended at any time, though this is not always realistic.

Clear Desk Policies are an old idea that is coming back into favour thanks to new methods of working. With many employees now working flexibly, some companies are opting to downsize, and use a lower number of hotdesks, which different people use on different days. This sharing of workstations requires that employees are more conscious of maintaining a clean workspace, and of the security of their belongings and data.

Clear Desk Policy and cybersecurity

Whether intentional or not, we all keep things at work that could reveal personal information. From overly generous password hints on our computers to leaving documents or even our phones on our desks, it’s easy to get complacent about the items we leave lying around. This is even more true with the hybrid working models now adopted by many businesses, and the blurring of the lines between our work and home lives.

Hotdesking poses an obvious risk, as any information you leave lying around could be picked up and utilised by the next person to use it, or the person after them. But the reality is that there is always some level of danger in leaving things lying around. Even in a seemingly secure and friendly workplace, there may be people (whether staff or visitors) who could use your information to access your workstation or accounts.

The benefit of a Clear Desk Policy for cybersecurity is that it encourages employees to be mindful about what they leave on their desks. While it may not always be 100% effective, it will greatly reduce the potential for sensitive information being left around workstations, and impress on employees the importance of keeping this information close to your chest, and not lying around for anyone to pilfer.

It will also help people to understand what exactly sensitive information is. A birthday card for instance may seem completely innocuous, but if someone knows your birthday and how old you are, they may have a clue to your passwords, PIN numbers or security questions. These kinds of clues can be rendered redundant by better password security, but cybersecurity should always be multifaceted, and not assume that everyone’s passwords will always be strong – particularly as password security can be a hard thing to apply.

Clear Desk Policy and ISO compliance

Another important consideration is ISO compliance. ISO certification provides a framework for businesses to meet common standards in various areas. Not only are Clear Desk Policies relevant for ISO 27001 compliance – an international standard for information security – they also support basic privacy principles.

Here in the UK, the Data Protection Act and GDPR requires businesses to ensure that personal information is kept secure at all times. A Clear Desk Policy is a simple way to secure physical data and devices within the workplace, leaving you free to focus on securing your networks and systems from external threats.

How to apply a Clear Desk Policy

The basic principles of a Clear Desk Policy are simple, and should be easy to apply if they are communicated clearly. Employees should be encouraged to:

Clear their desk at the end of the work day.
Lock any sensitive documents in secure drawers.
Shred and recycle any documents that are no longer needed.
Never leave any printouts in the printer.

A clear desk policy also applies to any devices you use in your workspace:

Lock your computer whenever you’re not using it (Win + L on Windows or Ctrl-Cmd-Q on Mac).
Log out of your account at the end of the work day.
Store mobile and removable devices in locked cabinets when they’re not in use.

A clear desk policy can improve your data security with minimal investment or change, and improve people’s wellbeing, removing the stress of security breaches. Knowing where vital documents are at all times is an effective way to keep worry levels low across your organisation – and tidy desks often lead to tidier minds. For help implementing a Clear Desk Policy or beefing up your cybersecurity, contact a member of the Sota team here.

View all

Blog AI Threats: Taking a closer look into Deepfake Attacks

Blog Cyber Essentials and ISO 27001: Reviewing Security Accreditations

Blog Wired and Wireless: The Backbone of Connectivity

Blog The Benefits of Microsoft SharePoint

Insight The growing threat of AI-driven phishing attacks

Insight How to achieve seamless IT installations

Insight How dedicated IT support services make businesses more efficient

Insight Driving your business into the future with Teams and Skype

Insight 6 key benefits of high availability solutions

Blog The business benefits of IT colocation services

Blog The benefits of a 24/7 global service desk for uninterrupted IT support

Blog The surprising benefits of wired internet for businesses

Blog The business benefits of Microsoft 365

Blog 5 project management techniques for successful IT projects

Blog The business benefits of using Private Ethernet

Blog How to safeguard your data with GDPR and ISO 27001 accreditation

Blog The crucial role of data protection in businesses

Insight What are the benefits of hiring IT consulting services?

Insight How your IT department can benefit from third party support

Insight 5 cybersecurity threats to watch out for

Insight What’s the difference between Cyber Essentials and Cyber Essentials Plus?

Blog 5 important business benefits of VoIP

Blog 5 business benefits of fibre connectivity

Blog How the green cloud is making IT more sustainable

Blog How Microsoft keeps cloud data secure

Blog The key benefits of using Microsoft 365

Blog 4 key business benefits of cloud computing

Insight 5 major benefits of IT consultancy services

Insight Cyber Essentials update: what you need to know

Insight 3 common colocation myths busted

Insight What is session hijacking, and how can I protect against it?

Insight How to build a successful colocation strategy

Blog What happens to your data centre in a blackout?

Blog 5 business cyber security tips for Christmas

Blog Why businesses are switching to Microsoft Azure

Blog Migrating to the cloud in 10 simple steps

Blog How to pick a data centre with the Tier Classification System

Blog 5 green computing ideas to revolutionise your organisation

Insight Why Microsoft Teams is the best way to collaborate online

Insight How ISO 27001 can protect your business’s information

Insight How to keep your devices safe from malware

Insight How you can help mitigate third party breaches

Blog How to implement secure file sharing for your business

Blog How to enlist employees to fight cyber threats

Blog How to avoid being infected with spyware and adware

Blog The best video conferencing apps for businesses

Blog What does a Clear Desk Policy involve, and what threats does it help counter?

Blog How to avoid malicious websites & applications

Blog How to protect your home network from online threats

Blog What is the dark web (and how can I stay safe on it)?

Insight Azure explained: what is it and why do you need it?

Insight 4 simple tips to protect your online privacy

Insight What is a virtual private network (VPN)?

Insight How to make remote working more cyber secure

Blog How to stay safe from cyber crime

Blog What does BYOD mean, and what security risks does it involve?

Blog What’s the difference between information and data?

Blog 5 reasons your business needs unified communications

Blog 4 top tips to pass your Cyber Essentials accreditation

Blog How to fix common laptop problems

Insight What is the UK Data Protection Act, and how does it affect your business?

Insight What is IVR phishing, and how can I avoid it?

Insight Where is data stored, and what is a data breach?

Insight Best practices for email and internet security

Insight How to ensure your cloud computing is legally compliant

Blog What is GDPR, and why does it matter for businesses?

Blog What is PCI DSS and how does it affect you and your organisation?

Blog Social engineering attacks: what they are and how to prevent them

Blog How to handle your organisation’s data and information policy

Blog Why software updates are so important (and how to install them)

Blog How to keep your business safe from ransomware attacks

Insight The best security practices for removable devices and media

Insight What is a denial of service attack, and how can I prevent it?

Insight Why having strong passwords really matters

Insight Why mobile device security matters

Blog How to choose the right IT services provider

Blog How to use social media safely (for individuals and businesses)

Blog How to: safeguard your data

Blog What is: Cyber Essentials Accreditation

Blog The real risk of remote working

Blog Don’t let disaster affect your business

Blog The cyber threat to SME’s