Address improper data disposal’s weakest link
April 9, 2015
Last year I saw a headline reading, “Study shows employees and contractors are biggest cause of breaches.” My first reaction was “that’s interesting.” My second reaction was, “Who else could it be?” Even high profile hacking cases involve employees inappropriately clicking on links and allowing the bad guys in.
When it comes to proper information disposal, or should I say, avoiding a breach due to improper disposal of protected information, the same obvious reality is at the heart of it. Knowingly or unknowingly, it is at the hands of an employee. Despite any amount of training, however, there is one lesson too many data controllers have learned the hard way. In order to maximize compliance, proper disposal of information has to be easy for the employee.
Requiring employees to use the shredder in the copy room is not easy. So much so that it is not even reasonable to think they will consistently do it. Whether because of carelessness, workload issues, pressures outside work, or laziness, compliance failure is inevitable. Nor is it reasonable to give employees the discretion on what is destroyed or options on where information-bearing media should go. Whenever a recycling bin is next to a shred bin, it is easy to find confidential information in the recycling bin.
The same goes for IT asset disposal. Since employees are less likely to toss out computers, it can be less of an issue. However, leaving the decision to the IT department instead of dictating the procedure through security and compliance can cause a problem. IT departments are less likely to understand the devastating consequences of missing or untracked electronic assets that could later come back to haunt the organization.
The point is that easy, failsafe; decision-free solutions developed and implemented by the appropriate and accountable department leaders is the only way to assure consistent, proper, compliant, secure information destruction.