Almost 40% of small business owners (SBOs) have no policy in place for storing and disposing of confidential paper documents, according to the seventh annual Shred-it Information Security Tracker Survey, conducted by Ipsos.
Electronic device security practices didn’t fare much better. The survey found that although 96% of large businesses have a policy in place to store and destroy electronic devices, including hard drives, only 57% of them do so on a quarterly basis or more frequently. In 2016, more than three-quarters of respondents did so on a quarterly basis or more frequently.
"Companies of all sizes need to start taking proactive measures to ensure their employees are trained on destruction procedures, that sensitive information is stored securely, and that they're mitigating information security threats by disposing of paper and electronic devices in a timely fashion," said Kevin Pollack, senior vice president of Shred-it, in a press release.
Like it or not, there’s still plenty of paper floating around the average office, and that paper can pose risks, especially if it contains information like passwords that can lead to a breach. And security executives, whether chief information security officers or chief security officers, are frequently charged with protecting both digital and physical security.
While there’s a lot of attention on the safe disposal of electronic devices, U.S. businesses often underestimate the vulnerabilities a paper trail can create within their organization. A lack of employee knowledge or training is commonly the culprit.
Businesses can also underestimate just how much information can be pieced together from small amounts of data. In 2015, the Ponemon Institute conducted a visual hacking experiment that demonstrated this very effectively. A company hired a pretend hacker that was given access to eight companies through a temporary worker badge. In just a matter of minutes, the hacker was able to collect things like employee access and login credentials, customer information and even corporate financials by simply looking at information on desks and using his smartphone to take a picture of information displayed on computer screens.