timbullas.com

In a world of constantly evolving technology and increasingly sophisticated cyber attacks, it's easy to get so focused on the big security risks, that you can easily miss the little every day things that happen within an organization that pose a potential security risk.

One such example is the habit of putting the telephone handset down on the desk, instead of putting the call on hold.

While it's not as common as it once was, I still see this happen on the odd occasion.

So why is this considered a potential security risk?

Well the following example happened to me when calling a hospital to speak to  someone I knew who was a patient there.

After calling up and being transferred to the correct ward, I told the nurse the name of the patient I wished to speak to and she informed me that they weren't in their room and that she would have to go and look for them.
At that point she put the handset down on the desk and left me on the line listening to the background sounds of a busy hospital.

It was during this time that I overheard a conversation between two nurses who were obviously working near the handset. The conversation wasn't particularly interesting until one nurse asked the other what her username and password were.
The other nurse happily replied with with her login credentials, loud and clear enough for me to hear over the phone!! *(Don't share your credentials people!!)*

Obviously, it was just sheer luck that I happened to be on the phone at the very time this conversation took place, however if this had been happening consistently over a period of time, it's highly likely that other people calling that particular ward could have been privvy to conversations discussing other types of sensitive data. This could include the personal information of patients or staff, or even a patients medical history.

This can all be avoided by simply pressing the hold button on the phone!

So why do people do it?

While I don't know why the nurse in my example chose to put the handset on the desk instead of putting me on hold, but I can think of a few reasons why someone would do this.

- Poor or improper training in using the phone system.
- Lack of awareness regarding policies or processes regarding proper call handling procedures.
- No actual policies or processes in place  for proper call handling procedures.
- To avoid the annoying 'call on hold' reminder tone.
- or it could just be a habit.

Whatever the reason, it's far safer (and far more professional) to simply put the call on hold, as you never know who might be on the other end of the line, listening to your private conversations if you don't.