Off the top of your head, what are the risks your business is exposed to? Chances are that you can list half a dozen in the time it takes to read this paragraph, but did the risk of not having a paper shredding service cross your mind?
Losing confidential information can be a nightmare. This is particularly true for companies in sectors like healthcare and finance, but even enterprises in the hospitality and marketing spaces can face huge lawsuits, lose contracts, and give away valuable information to competitors if the proper steps aren’t taken.
Most of the examples linked to above refer to digital data breaches, and for good reason. However, low-tech data losses, where someone steals information in written format, are also a major risk, and not realizing this can cost your company serious money and a damaged reputation.
Why Contracting a Paper Shredding Service Is a Good Idea
Legally, as soon as trash leaves your premises it’s usually no longer your property, even if it contains highly sensitive information. Practically speaking, almost anyone can sift through it, searching for customer lists, payroll information, or whatever your company happens to commit to paper.
So, given all of the above, why should you entrust your sensitive documents to strangers for destruction?
Wouldn’t it be better to keep such a security-critical function in-house?
The truth is, though, that it often does makes sense.
In the first place, using a paper shredding service isn’t actually worse than having an employee or intern do all your shredding. In fact, around 1% of bank employees are fired every year for dishonesty – mostly petty fraud. Banks take great care with who they hire; do you follow the same procedures?
Secondly, outsourcing non-core business functions to professionals is usually not the worse option. If you didn’t have a problem having some hairy teenager setting up your server, handing over boxes full of sensitive documents to a specialized third party shouldn’t bother you.
In the end, this is mostly a question of scale. Shredding companies can afford industrial-strength equipment and tend to be cheaper for any kind of high-volume paper waste disposal, although many SMEs will find it more economical to purchase their own shredder. Just remember that cheaper office shredders can take quite a while to chew their way through a file, which not only impacts productivity but may lead to shredding guidelines being ignored.
What to Look for in a Paper Shredding Company
For the most part, offices produce enough waste that it’s not worth a paper shredding company’s employees’ time to try and sift through it looking for something confidential. In certain industries, though (law, industrial R&D, etc.), it might be worthwhile looking over a document shredding company’s credentials just to make sure.
- In the United States, choosing a company with a NAID accreditation (National Association of Information Destruction) , which covers many of the points below, is an excellent way of reducing risk. The equivalent certification in the E.U. is called BS EN 15713.
- Almost always, information on court cases are a matter of public record, or at least available as a paid service. While some lawsuits are certainly frivolous, a company or its directors being sued frequently is rarely a good sign. Having your lawyer check this is much cheaper than doing a full background check.
- What are their hiring policies? This is something of a subjective area: preferring military veterans, especially with security clearance, is a popular practice, but also occasionally fails. A great deal depends on the relationship between management and workers; low staff turnover is a good indicator.
- What physical security measures have they implemented? CCTV cameras in the loading and shredding areas are good; an exterior door that can be opened with a crowbar is not. In any case, somebody being able to walk off with a large ream of paper is not something that should be possible without detection.
- Do they provide an on-site service? Companies that use shredding trucks have a very short logistic cycle with few opportunities for data theft.
- If shredding your documents at their premises, what procedures are followed? A good idea is to use lockable boxes with a slot for putting in documents, with only a few trusted people allowed access to the keys.
- Do they offer the option of returning your shredded paper to you? This allows you to weigh it before and after, but can raise waste management costs and create a fire hazard.
- Who are their other clients? While personal recommendations aren’t always reliable (people tend to endorse people who are charming rather than necessarily professional), large companies can often afford to do more detailed investigations into potential service providers, saving you from having to do the work.
- Although this will be more important in some cases than others, what is the shredding service’s relationship with recyclers? If your company has a sustainability improvement program, this should be factored in, but it may also require you to sort your waste by type.
Does Your Paper Shredding Service Speak IT?
Some companies like to donate their old computers and other electronics to charity, which is certainly a good idea in general. However, this comes with certain risks.
Even when a file on a hard drive has been deleted, it’s still physically there and actually not that hard to find. This means that your good deed could lead to your payroll information, customer records, and emails ending up in malicious hands.
There is actually a thriving market for personal information online. This refers to outright criminal activity on the Dark Web, but also gray-market data “aggregators” and “brokers” that use personal information mainly to influence consumer opinion.
Just to re-emphasize a basic point: crimes such as identity theft don’t require someone’s fingerprints, blood type, and database logon – just knowing their mother’s maiden name, social security number, and address makes a pretty good starting point. All personally identifiable information should be protected, regardless of whether it’s on paper or digital media. A company not taking appropriate steps to safeguard personal customer or employee data is definitely liable should anything go wrong.
Some companies, when sending an employee to countries known for hacking (China and Russia come to mind), actually supply them with blank-slate laptops that are physically destroyed on their return. This may seem excessive, but there are certainly reasons for it.
Disposing of Digital Media
When looking at document shredding companies’ credentials, be sure that they are able to handle your digital data along with paper records.
Some companies will own industrial-strength degaussers and other specialized equipment, but some simpler methods they may use work as well:
- Drilling a hole through the platters of a magnetic hard drive makes it unreadable without extensive refurbishment in a well-equipped lab.
- Placing a CD or DVD in a bowl of water and microwaving it for half a minute erases it completely by melting its foil layer. (Don’t do this in the office kitchen, though).
- For solid-state hard drives and USB thumb devices, the only way to truly erase the data stored on the memory chip is to physically destroy it. This means breaking open the casing and finding (usually) the largest black rectangular plastic thing inside, as even if the device itself has been damaged beyond repair, the information inside is not beyond the reach of data recovery experts. Recommended methods include smashing it with a hammer, crushing it with a pair of pliers or connecting it to a high voltage source.
- Mobile devices are especially problematic, as they are upgraded frequently and the old one sold or given away. At a minimum, they should be factory reset, but this is not totally effective. This is more of an IT issue than something most document shredding companies will concern themselves with anyway; the best solution is probably to institute a non-BYOD (Bring Your Own Device) policy.
Final Words
When it comes to personal information, ownership and control are separate concepts. Whenever you handle customer or employee data, or in fact your own trade secrets, you have a duty of trust to protect it – it remains the “property” of the people implicated.
Taking shortcuts where this is concerned can easily lead to fines, civil suits, and irreparable harm to a company’s reputation. Even worse, data breaches literally ruin lives – just ask anyone who’s trying to repair the damage caused by their identity being stolen.
For the most part, protecting this kind of data means paying attention to IT security, but paper records shouldn’t be neglected either. This implies several things involving administrative systems, physical security, hiring procedures, and more, but three basic principles almost always apply:
- Restrict access to information to those who genuinely need it,
- Store any hardcopy documents securely, for however long you might need them, especially when this is a legal requirement,
- Definitely pass anything you don’t need on to a paper shredding company.
The first two points are practiced pretty generally in the corporate world, but the last is often seen as just too much trouble. The harm this causes is sometimes invisible, but very certainly real.