Posts

Is Document Shredding Still a Thing in This Digital Age?

Document shredding seems to have fallen out of favor. I recently received some questions from a client wondering if, in the age of remote massive database breaches by pajama-clad hackers, we should still shred our sensitive documents.  If it is so easy to access it digitally, then why would anyone go through the arduous, dirty work of old-fashioned dumpster diving?

In case you have the same questions, here are my thoughts:

Is Identity theft via paper still an issue in this digital age?

Without even a moment’s hesitation – YES IT IS! It no longer gets the press it used to and dumpster diving, physical file theft and the like never account for the sheer volume of identities stolen (it’s more profitable and efficient to hack a million IDs at a time from Facebook or Equifax), but they are still part of the criminal toolkit, especially for local criminals (who don’t have hacking experience) and especially for organized criminals that need small bits of information from a target before they socially engineer them to hand over the keys to the kingdom (e.g., gaining their trust to manipulate them out of their user login credentials at work based on information from physical documents, embarrassing trash, etc.).

Do people still need to shred all of their paper documents? 

The initial answer is no, because that information is already out there in volumes. The wiser answer, from a habituation perspective, is yes. In 30 seconds a day (if your shredder is convenient), you can shred everything with personal information on it? That way, when it does have something more valuable (account number, last four of your SSN or any of those small bread crumbs that lead to greater levels of trust and access), you have already established a good habit. When users are advised to just shred X or Y, instead of everything personal, they eventually forget or give up because the volume is too low.

Are cross-cut document shredders enough or should we use higher-security micro-cut shredders?

For the average person who doesn’t work in a defense-related, finance-related or health-related job (you get the idea), I think that a simple confetti shredder is plenty sufficient. There is technology out there to recreate documents, but that isn’t really the concern of your average reader. If they have security clearance or deal with highly sensitive information from work in their home, then yes, the higher end are better.

The Achilles heel of shredding is that people don’t take care of them (empty them, oil them, etc.) and they break like a car with no oil, so that is part of the deal – you have to maintain them. I still have a shredder in my home office and several at work. We put all of the documents in a bin next to the shredder and shred them a couple of times per week before the trash goes out. That makes it a bit more efficient.

In other words, how paranoid should we still be about shredding documents?

Paranoid is a touch too strong. Just be smart. Think about unshredded documents as the reconnaissance tools that cyber criminals use to commit larger crimes. If I find your bank statement unshredded in the trash, I can now call you, pretend to be the bank using a caller ID spoofing app, recite the last four digits of your account and get the information I need acting as the bank to close out your account on the very next call. And from a corporate perspective, it’s even more valuable data.

So what are the basic reasons behind document shredding?

  • Prevent identity theft
  • Protect your customers and your employees
  • It’s the law (under the Data Protection Act)
  • It saves space
  • It’s “green”! Shredded paper makes recycling much easier

What documents should you shred?

  • Medical records and bills (keep for at least a year after payment in case of disputes)
  • Old tax returns: after three years of returns you are allowed to throw them away, as long as you aren’t committing fraud – otherwise you can be held liable indefinitely
  • Old photo IDs
  • Bank, investment, medical or insurance statements (or anything else that contains vital identity or account numbers)
  • Credit card offers and expired credit and debit cards
  • Canceled or voided checks
  • Pay stubs
  • Copies of sales receipts
  • Convenience checks (Blank checks your credit card company sends to borrow against your credit line)
  • Junk mail that contains personally identifying information (watch for barcodes)
  • Mail related to your children or their school

Remember, shredding isn’t only for large companies.  As someone who personally was a victim of dumpster diving, trust me and take the extra four seconds to shred that piece of trash; it may save you years of time spent trying to recover from financial devastation.

About Cyber Security Keynote Speaker John Sileo

John Sileo loves his role as an “energizer” for cyber security at conferences, corporate trainings, and industry events. He specializes in making security fun so that it sticks. His clients include the Pentagon, Schwab and many organizations so small (and security conscious) that you won’t have even heard of them. John has been featured on 60 Minutes, recently cooked meatballs with Rachel Ray and got started in cyber security when he lost everything, including his $2 million software business, to cybercrime. Call if you would like to bring John to speak to your members – 303.777.3221.

HoGo Document Protection: 10 Questions w/ Digital Privacy Expert John Sileo

By Mike Spinney, HoGo (Document Protection Simplified)

John Sileo is a kindred spirit when it comes to fighting the good fight against data breach and identity theft. I met John about seven years ago when we were both part of a joint project to raise awareness over the issue of physical document protection and we’ve been friends ever since. I admire what John does to help make people more aware of their personal risk and take steps to prevent identify theft. A two-time victim of identify theft, John has refused to wallow in his victimization and instead has become a privacy expert in his own right and taken his powerful, personal message to audiences around the world raising identity theft prevention awareness as one of the issues premiere speakers.

In addition to keynote speaking and his video series, Burning Questions, John is a frequent media source for stories about privacy and identity theft. He was in my area last month for to give a series of keynote presentations for the University of Massachusetts’ privacy awareness program so I took the opportunity to meet with John and ask him ten questions about his work and the issue of data privacy and information protection.

HoGo:  Your personal ID theft story is not uncommon. Is there anything that might have caused you to take better care of your personal information prior to your first experience? Continue Reading…

Privacy Means Profit: Lock Your Business Docs

The following is an excerpt from John’s latest book Privacy Means Profit. To learn more and to purchase the book, visit our website www.ThinkLikeASpy.com.

Locking up sensitive documents is one of the most important and underutilized ways to protect company data. Of the individuals surveyed by the Ponemon Institute, 56 percent state that over 50 percent of their company’s sensitive or confidential information is contained within paper documents. Since 49 percent of all breaches involved paper, locking up what cannot be eliminated or destroyed is essential. To get you firmly into the business mind-set of thinking like a spy, start with this simple three-step classification process:

1. Classification: Set up a classification scheme. For example, you might have four levels of access: public, internal, classified, and top secret.

  • Public documents are the only documents meant to be seen by outsiders (the public). This might include sales and marketing materials, websites, public filings, and the like.
  • Internal documents are those appropriate for employees of the company to see, but inappropriate for outsiders. These are generally not high-risk documents, still it’s better to keep them confidential, just in case.
  • Classified documents are a security risk if the wrong people see them, either internally or externally. Only certain employees and executives would have access to these documents (see step 2). Classified documents might include human resource files,customer lists, product development papers, department financials, strategy frameworks, and so on.
  • Top secret documents are those meant for only a small number of very carefully vetted people at the company. Top secret documents tend to include trade secrets (e.g., the recipe for Coke), intellectual capital, merger and acquisition data, and proprietary financials.

2. User-level Access: Set up a system of locking that grants only qualified individuals access to the corresponding level of confidentiality. Continue Reading….

Privacy Means Profit

Prevent Identity Theft and Secure You and Your Bottom Line

“This book builds a bridge between good personal privacy habits (protect your wallet, online banking, trash, etc.) with the skills and motivation to protect workplace data (bulletproof your laptop, server, hiring policies, etc.).”

In Privacy Means Profit, John Sileo demonstrates how to keep data theft from destroying your bottom line, both personally and professionally. In addition to sharing his gripping tale of losing $300,000 and his business to data breach, John writes about the risks posed by social media, travel theft, workplace identity theft, and how to keep it from happening to you and your business.

Secure Document Storage

SentrySafe Fire Safes

A majority of our most valuable identity documents (passports, birth and death certificates, wills, trusts, deeds, brokerage information, passwords, health records, etc.) are exposed to identity theft (and natural disasters, such as fire and floods) as they sit in unlocked filing cabinets, banking boxes in the basement, office drawers or out in the open, on our desks. I spend an entire chapter in Privacy Means Profit talking about which documents to lock up, which to destroy and which to stop at the source. To complicate matters, the problem of data theft goes beyond paper documents to digital media. More than ever we need to be concerned with the physical protection of hard drives, cell phones, thumb drives, CDs and DVDs with sensitive personal or business data on them. Read more