INFO ON PAPER SERIOUS SECURITY BREACH

Cybereye On paper, a potential risk

http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn&story.id=47570By William Jackson

THE WORD DATA stirs thoughts of bits and bytes stored on disks, hard drives and tape. We often forget, especially if we deal with information technology issues all day, that data also exists on paper and that the sensitive information it contains could also be at risk of breaches.

A newly formed group, the Alliance for Secure Business Information, recently released the results of a survey that found that nearly half of data breaches reported by respondents involved paper documents. True, that means that more than half of the breaches did not involve paper, but it still is a reminder that information security policies must take paper documents into account.

The detailed results of surveys such as ASBI’s “Security of Paper Documents in the Workplace” might be taken with a grain of salt. One of the founding members of the organization is Fellowes, a manufacturer of paper shredders.

Not that there is anything wrong with that, but you might expect a bit of a bias in its approach to the subject. Other members are the Ponemon Institute, which advances privacy management issues; the Identity Theft Resource Center, which focuses on identity theft; and John Sileo, who speaks on business security.

The survey produced a response rate of only about 6 percent. Still, that was 819 respondents — 14 percent of them in government — and ASBI claims a margin of error of plus or minus 3.5 percent in its results.
Biases and margins of error aside, it is hard not to agree that a lot of any organization’s data exists in paper form. Despite the increased use of electronic media, the long-anticipated paperless office has not arrived and does not appear to be getting close.

Any employee with an interest in the happenings of an organization knows that the slush basket of the office printer is a bountiful resource, as is any unattended copier or fax machine. A more dedicated seeker of confidential information can find troves of information in waste baskets, desktops and filing cabinets.

Electronic data gets a lot of attention, and rightly so, because it can be accessed remotely and easily copied, transmitted, deleted or exposed on a wholesale scale.

However, that is no reason not to pay attention to data on paper. In the ASBI report, 56 percent of respondents said controlling access to paper documents is more difficult than controlling electronic access, and 61 percent said they do not have the resources and controls needed to secure paper documents.

Trash bins were listed as the spot where paper is most at risk, and in what must be a blow to Fellowes, only 35 percent reported that paper is routinely shredded.

In addition to more shredders, ASBI recommends some common-sense practices to improve security, including better budgets and support from senior management for strict enforcement of document-handling policies, rigorous procedures for disposing of documents and accountability of managers for securing files.