Document shredding seems to have fallen out of favor. I recently received some questions from a client wondering if, in the age of remote massive database breaches by pajama-clad hackers, we should still shred our sensitive documents. If it is so easy to access it digitally, then why would anyone go through the arduous, dirty work of old-fashioned dumpster diving?
In case you have the same questions, here are my thoughts:
Is Identity theft via paper still an issue in this digital age?
Without even a moment’s hesitation – YES IT IS! It no longer gets the press it used to and dumpster diving, physical file theft and the like never account for the sheer volume of identities stolen (it’s more profitable and efficient to hack a million IDs at a time from Facebook or Equifax), but they are still part of the criminal toolkit, especially for local criminals (who don’t have hacking experience) and especially for organized criminals that need small bits of information from a target before they socially engineer them to hand over the keys to the kingdom (e.g., gaining their trust to manipulate them out of their user login credentials at work based on information from physical documents, embarrassing trash, etc.).
Do people still need to shred all of their paper documents?
The initial answer is no, because that information is already out there in volumes. The wiser answer, from a habituation perspective, is yes. In 30 seconds a day (if your shredder is convenient), you can shred everything with personal information on it? That way, when it does have something more valuable (account number, last four of your SSN or any of those small bread crumbs that lead to greater levels of trust and access), you have already established a good habit. When users are advised to just shred X or Y, instead of everything personal, they eventually forget or give up because the volume is too low.
Are cross-cut document shredders enough or should we use higher-security micro-cut shredders?
For the average person who doesn’t work in a defense-related, finance-related or health-related job (you get the idea), I think that a simple confetti shredder is plenty sufficient. There is technology out there to recreate documents, but that isn’t really the concern of your average reader. If they have security clearance or deal with highly sensitive information from work in their home, then yes, the higher end are better.
The Achilles heel of shredding is that people don’t take care of them (empty them, oil them, etc.) and they break like a car with no oil, so that is part of the deal – you have to maintain them. I still have a shredder in my home office and several at work. We put all of the documents in a bin next to the shredder and shred them a couple of times per week before the trash goes out. That makes it a bit more efficient.
In other words, how paranoid should we still be about shredding documents?
Paranoid is a touch too strong. Just be smart. Think about unshredded documents as the reconnaissance tools that cyber criminals use to commit larger crimes. If I find your bank statement unshredded in the trash, I can now call you, pretend to be the bank using a caller ID spoofing app, recite the last four digits of your account and get the information I need acting as the bank to close out your account on the very next call. And from a corporate perspective, it’s even more valuable data.
So what are the basic reasons behind document shredding?
- Prevent identity theft
- Protect your customers and your employees
- It’s the law (under the Data Protection Act)
- It saves space
- It’s “green”! Shredded paper makes recycling much easier
What documents should you shred?
- Medical records and bills (keep for at least a year after payment in case of disputes)
- Old tax returns: after three years of returns you are allowed to throw them away, as long as you aren’t committing fraud – otherwise you can be held liable indefinitely
- Old photo IDs
- Bank, investment, medical or insurance statements (or anything else that contains vital identity or account numbers)
- Credit card offers and expired credit and debit cards
- Canceled or voided checks
- Pay stubs
- Copies of sales receipts
- Convenience checks (Blank checks your credit card company sends to borrow against your credit line)
- Junk mail that contains personally identifying information (watch for barcodes)
- Mail related to your children or their school
Remember, shredding isn’t only for large companies. As someone who personally was a victim of dumpster diving, trust me and take the extra four seconds to shred that piece of trash; it may save you years of time spent trying to recover from financial devastation.
About Cyber Security Keynote Speaker John Sileo
John Sileo loves his role as an “energizer” for cyber security at conferences, corporate trainings, and industry events. He specializes in making security fun so that it sticks. His clients include the Pentagon, Schwab and many organizations so small (and security conscious) that you won’t have even heard of them. John has been featured on 60 Minutes, recently cooked meatballs with Rachel Ray and got started in cyber security when he lost everything, including his $2 million software business, to cybercrime. Call if you would like to bring John to speak to your members – 303.777.3221.