In the digital age, paper files--even those containing sensitive information--are not usually considered as high a security risk. Experts say that's a mistake.
Much digital ink has been used to warn those now working from home about the need to pay close attention to cybersecurity, as their employer's IT department is not there to help. But some are suggesting care for paper documents might be as important as a PDF.
"If your business regularly handles sensitive hardcopy data in the office, chances are that your employees working from home now have to continue handling sensitive data outside the safety of your office environment," said Andrea Maciejewski and Joshua James of Bryan, Cave, Leighton, and Paisner, in their post: Work From Home Cybersecurity Basics: Handling Sensitive Hardcopy Data. "This poses many challenges, but with some forethought, many businesses will likely find that they can continue most operations without sacrificing security."
SEE: Security Awareness and Training policy (TechRepublic Premium)
During the coronavirus crisis, it's a bit late for forethought, but the co-authors said it's a good idea to revisit in-place security measures, in particular ones pertaining to sensitive hard-copy files, as their security is often overlooked in the digital age.
It's easy to think that "dumpster diving" is a thing of the past and destroying sensitive hard copies is only done to meet regulations. But Rob Douglas, contributing editor at Consumer Affairs, disagrees, listing dumpster diving and mail theft as active methods of identity theft in his recent report, 2020 Identity theft statistics. He said that because most people are working from home right now, identity theft criminals are shifting their operations from the office to people's homes.
How to secure your hard-copy data
Maciejewski and James suggest the following ways to keep hard copies safe from criminals.
Decide what it means to lose the file
The solution to this may seem obvious--just copy the file; however, there are circumstances where files cannot be copied. "While your company and employees will take steps to avoid losing the file, the reality is that once the file leaves the office, the chances of it being lost, destroyed, or stolen go up," said Maciejewski and James. "Your company should carefully balance the needs of the business against the risk of harm the loss of the file might cause."
SEE: IT physical security policy (TechRepublic Premium)
Determine if information in the file is sensitive
If you have a process in place to determine whether there is sensitive information within the file, help employees learn how to handle sensitive data. It becomes akin to muscle memory: Once it's learned, it becomes automatic.
Consider the file's security if removed from the office
No small amount of consideration should be given to when the file is not within the physical confines of the company. The authors offer the following examples.
Public transportation: If the employee uses public transportation to move sensitive files, Maciejewski and James suggest it may be worthwhile for the company to pay for a taxi or rideshare. "Also, caution employees who drive not to stop on the way home with sensitive files in their vehicles. A briefcase or backpack might get stolen if the employee's vehicle is left unattended for a period of time."
In-home security: Employees need to be realistic in deciding how securely they can store files at home:
- Does the employee live with multiple people?
- Does the employee have a locked or otherwise secured area to keep files when not in use?
Ensure the capability of destroying files
One way to avoid transporting sensitive hard copy that was either brought home or printed at home is to physically destroy the papers.
Every company should develop an internal data-destruction policy that accounts for information destruction both in the office and at remote locations such as an employee's home. Some options are:
- Purchase home shredders for each employee: This may be a good option if employees handle relatively small amounts of hard-copy files containing sensitive data. The authors also advise checking local and federal regulations for the proper way to shred documents.
- Enlist the services of a third-party shredding company: Businesses offering mobile shredding services may make sense if the quantity is there. "This may be a good option if you have employees who regularly handle high volumes of papers containing personal data or sensitive information," they said.
- Minimize data handling: It may be a good idea to cut down on handling sensitive data for a time. Some tasks that require working with large quantities of sensitive data may be best delayed until the employee is able to work from a secure location.
- Establish a no-print policy: Consider prohibiting employees from printing at home or taking physical documents to their homes.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)
- Information security policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)