Cybereye | On paper, a potential risk
- By William Jackson
- Nov 14, 2008
THE WORD DATA stirs thoughts of bits and bytes stored on disks,
hard drives and tape. We often forget, especially if we deal with
information technology issues all day, that data also exists on
paper and that the sensitive information it contains could also be
at risk of breaches.
A newly formed group, the Alliance for Secure Business
Information, recently released the results of a survey that found
that nearly half of data breaches reported by respondents involved
paper documents. True, that means that more than half of the
breaches did not involve paper, but it still is a reminder that
information security policies must take paper documents into
The detailed results of surveys such as ASBI's
'Security of Paper Documents in the Workplace' might be
taken with a grain of salt. One of the founding members of the
organization is Fellowes, a manufacturer of paper shredders. Not
that there is anything wrong with that, but you might expect a bit
of a bias in its approach to the subject. Other members are the
Ponemon Institute, which advances privacy management issues; the
Identity Theft Resource Center, which focuses on identity theft;
and John Sileo, who speaks on business security.
The survey produced a response rate of only about 6 percent.
Still, that was 819 respondents ' 14 percent of them in
government ' and ASBI claims a margin of error of plus or
minus 3.5 percent in its results.
Biases and margins of error aside, it is hard not to agree that
a lot of any organization's data exists in paper form.
Despite the increased use of electronic media, the long-anticipated
paperless office has not arrived and does not appear to be getting
close. Any employee with an interest in the happenings of an
organization knows that the slush basket of the office printer is a
bountiful resource, as is any unattended copier or fax machine. A
more dedicated seeker of confidential information can find troves
of information in waste baskets, desktops and filing cabinets.
Electronic data gets a lot of attention, and rightly so, because
it can be accessed remotely and easily copied, transmitted, deleted
or exposed on a wholesale scale.
However, that is no reason not to pay attention to data on
paper. In the ASBI report, 56 percent of respondents said
controlling access to paper documents is more difficult than
controlling electronic access, and 61 percent said they do not have
the resources and controls needed to secure paper documents. Trash
bins were listed as the spot where paper is most at risk, and in
what must be a blow to Fellowes, only 35 percent reported that
paper is routinely shredded.
In addition to more shredders, ASBI recommends some common-sense
practices to improve security, including better budgets and support
from senior management for strict enforcement of document-handling
policies, rigorous procedures for disposing of documents and
accountability of managers for securing files.
William Jackson is freelance writer and the author of the CyberEye blog.