Data security management continues to be a top business challenge for CIOs, CTOs, and Senior IT professionals in small, medium, and large businesses across all industries. In fact, according to a recent survey by Gartner of more than 2,000 CIOs, data security remains a top ten CIO concern just as it has for the last decade.
Additionally, CIOs see some emerging technologies as fundamentally disrupting their business operations when looking forward over the next decade. These technologies include mobile, big data and analytics, social media, and public cloud to mention a few. The underlying data security management threat remains a significant challenge to IT professionals as each of these emerging technologies is deployed within their organization. The data security issues surrounding these technologies typically are most disruptive when they are deployed in combination within a SMB technology operating plan that is often challenged for competing IT resources.
So how can IT staff craft effective data security management policies in a SMB? Traditional data security management initiatives focus first on minimizing digital security threats. The most popular threats today include Malware, Botnets, BYOD, Cloud and Mobile Security. A comprehensive security policy will however include a plan for securing an organization’s non-digital assets as well at the digital ones. Think for example about your organization’s use of paper and the sensitive data contained in all those paper documents circulated throughout your organization.
What role should IT professionals play to protect sensitive corporate information printed within paper based documents? The information technology group in smaller companies and the CIO or CISO in larger companies must take the lead in providing company wide data security of both digital and non-digital assets. This implies that IT professionals take ownership of securing non-digital assets and provide mechanisms for employees to routinely shred sensitive paper based documents that are no longer active. The paper based assets should be viewed as an extension of the underlying digital data from which they were generated. When sensitive data is handled securely in this manner organizations achieve cradle to grave secure access to this data and minimize their liabilities associated with the data.
Properly securing these non-digital assets is critical to your organizations long term success. There are many news reports of negative press or leaked sensitive corporate information originating from a nosy garbage dumpster diving investigator or competitor. Many times searching through an organization’s trash is perfectly legal. Legality is based on the local laws and whether the trash that is thrown out and then picked up by collection trucks resides on public property.
It is difficult to believe but an individuals’ trash is not always protected by privacy laws. According to a 1998 Supreme Court ruling, Americans do not have a right to privacy when it comes to their personal trash. Once paper has been discarded it becomes part of the public domain. In addition, the Economic Espionage Act of 1996 made it a federal offense to steal trade information but it does not protect companies that fail to take reasonable steps to protect their information.
So what are considered “reasonable steps” that IT professionals should take in the securing of corporate information?
Organizations should hold onto paper documents only as long as they believe they are needed to produce, support, or maintain an organization’s products and services. The documents should also be retained as long as the law requires. At the point of document destruction employees should follow corporate policies for disposal. This is especially true in heavily regulated industries such as health care, financial services, and legal industries.
Every company’s IT department should have policies in place which dictate how long different types of documents should be kept available for recall. Some companies will digitize paper based documents, store them in a retrieval system, and then shred the original. These digital retrieval systems do safely secure the information contained in these documents. Unfortunately, this is a luxury that is beyond the budgets of many SMBs.
The biggest challenge for securing paper documents is to set up retention policies for documents the employees need to handle and access in order to perform their jobs. A second challenge is the execution of the proper disposal instructions as soon as the retention period has expired.
Shred it, do not just toss it should be an important part of your overall data security management policy. When either customer information or employee information is ready for the trash, it should be properly shredded if it contains information your organization does not want made public.
Documents that contain names, Social Security numbers, birth dates, savings account balances, credit card numbers, stated individuals’ health conditions, or other personal information should always be shredded.
Also shred trash bound documents that could potentially help your organization’s competition. Items such as customer lists, sensitive pricing information, strategic planning documents, and trade secrets should be shredded, not tossed into the recycle bin.
Be especially diligent when dealing with information from consumer reports. The Fair Credit Reporting Act protects credit reports and credit scores as well as reports relating to employment background, check writing history, insurance claims, residential or tenant history, or medical history. Anyone who handles this type of information must follow strict disposal guidelines that may reasonably include burning, pulverizing, or shredding the paper documents so that the information cannot be read or reconstructed.
There are many options for shredding documents. There are cross cut shredders in the $60-$2500 price range. Alternatively there are outsourced shredding services that will pick up locked bins of sensitive documents, shred them onsite for a fee based on quantity. They will then cart away the shredded paper and provide a certificate of destruction.
Next Generation In House Document Shredding
As the IT professional in a SMB you will most likely wish to shred sensitive papers in house in order to contain costs. You want to look for a feature rich shredder that is simple for you and your organization to use. Ideally, the shredder should have superior auto feed technology built in so you do not have to sit there and hand feed the documents. The shredder should accommodate crumpled paper, double sided color printed paper, glossy paper, multiple sheets folder over, paper clips, staples, junk mail and DVDs. It should also be very quiet and secure with lock draw technology.
One shredder that works well is the AutoMax 500C Shredder from Fellowes. It can quietly and securely continuously shred 500 sheets of paper into 5/32” x 1-1/2” cross-cut particles. This provides a security level of P-4, high enough to safeguard most companies in most industries.
Recent investments in the development of new document shredding technology now makes the shredding process faster and more secure than ever before. Previously, organizations had to dedicate valuable employee resources to hand feeding documents into a single sheet shredder.
For example, the Fellowes organization has introduced document “load, lock and walk away” shredding capabilities to their AutoMax product line of large volume, auto-feed commercial shredders. These enhancements make the internal disposal of large quantities of confidential information a much easier task to accomplish. Organizations currently sending documents off-site for shredding or just tossing sensitive documents in the trash should take a look at the potential cost savings and security benefits of shredding documents in house with a shredder such as the AutoMax 500C.