For those who think that dumpster diving is security threat of the past, check out Steve Hunt's fascinating video Scoring big in corporate dumpster diving. He recently did a dumpster dive in Chicago and found confidential wire transfer information, a laptop, and others treasures in the dumpster. His adventure took all of three minutes and he astutely advises companies to do their own dumpster diving tests.
In addition, the current recession means that organizations may have to deal with disgruntled and angry employees as well as those who think their job or company will soon be eliminated. With that, the risk of misuse of sensitive information is even greater.
Simply put, effective document destruction practices prevent information from falling into the wrong hands. Perhaps the most pervasive example of this is credit card charge receipts, which are retrieved from trash bins by dumpster divers often with the intent of using the information for online or telephone orders. Many businesses discard such payment information without effective destruction controls. If such controls are not used, the information unearthed from the post-fraud investigation could be extremely embarrassing to explain to customers, and it could also turn into a PR nightmare or an expensive legal problem.
Just trash it all: The Enron approach
Once made aware of the need many organizations take a knee-jerk reaction by gathering all stored hard copies and simply disposing of them. But that does not solve the problem for a number of reasons.
First, there are legal and regulatory requirements that mandate that paper documents be retained for specific periods of time. Additionally, throwing things directly into the dumpster exposes companies to dumpster divers. As detailed above, dumpsters can be a great source of information.
There is another reason why the trashing of daily records without appropriate destruction is dangerous. If you simply throw out trash and it gets into your competitors' hands, they can easily correlate and learn about your business activities.
By way of example, SIM software can take seemingly disparate log items and correlate them into an active attack; so too with your trash. Your daily activities are similarly manifest in your trash. From daily activities, phone records, travel plans, RFP submissions, memos, and much more, your business can be exposed if this information is not properly destroyed.
If Enron is the poster child for inappropriate document destruction, those organizations seeking to do document destruction precisely should consider obtaining the Media Disposal Toolkit from Network Frontiers. The toolkit contains everything an organization needs to know about data disposal. It includes a spreadsheet of unified common controls, work breakdown structure with processes and procedures and a data deletion management documentation on the policies and standards that organizations must adhere to in order to be in compliance with global regulatory mandates.