Blog posts

The 3 Big Causes of Data Breaches

Mon, 17 Jun 2013 23:16:58 GMT

Did you know the cost of a data breach can vary significantly based on where in the world it occurs?

A annual study conducted by the Ponemon Institute showed that the geographic location can dictate the cost of a breach with the main factors being the type or nature of threat as well as the policies and laws enforced within the country.

The report analyzed 277 companies who had experienced a data breach in 9 different countries (all currencies were converted into US dollars). The three main causes were:

In the study, malicious attacks accounted for more than 37% of security breaches in 2012.
Negligent employees and contractors mishandling confidential data accounted for 35% of data breaches.
Systems glitches such as application failures, inadvertent data dumps, errors in data transfer and authentication failures accounted for 29% of data breaches.

They found that the highest costs associated with these data breaches were found in the U.S. ($277) and Germany ($214) while the lowest financial impact occurred in Brazil ($71) and India ($42).

No matter where your business is located, follow these best practices to reduce the risk of information breaches:

Create strong information security policies and procedures.
Train employees about the proper handling of confidential information.
Provide the right IT (data loss, encryption solutions, etc.) to protect sensitive data.
Work closely with trusted business partners when choosing a security partne r

Learn more about how to protect your business from security breaches and fraud.

Data Breaches: 5 Cost Effective Preventive Strategies

Fri, 07 Jun 2013 13:54:00 GMT

“The costs of reacting to breaches almost always exceed the cost of preventing them,” said Nicholas Cheung of the accountants’ association CPA Canada. He was commenting in the press about a survey that showed managing data is the top technology-related priority of accountants today.

Of course, managing and protecting data, especially sensitive data, is critical in all workplaces. Recent research shows that organizations experience about one fraud event per week.

The cost of a data breach includes the time spent dealing with it, damage to the firm’s reputation, the possibility of identity theft, and there may be fines.

The average dollar cost has actually been pegged at $194 per lost or stolen record and $5.5 per security breach incident, according to the 2011 Cost of Data Breach Study by Symantec Corp. and Ponemon.

So how do you prevent data breaches from occurring in the first place? Implement sound information security policies and procedures:

Designate a Chief Information Security Officer (CISO) – research has shown this can reduce the cost of a data breach by 35% per compromised record.
Form a data security team with members from key departments such as information technology, compliance, human resources, legal, and communications.
Maintain a running inventory of all information that needs to be protected.
Schedule on-going security training for employees – recent research shows negligent employees are the top cause of data breaches.
Partner with companies that are committed to information security.

Find out more about how you can protect your organization and make the best choice for secure document destruction.

Data Breaches: 5 Cost Effective Preventive Strategies

Fri, 07 Jun 2013 13:07:45 GMT

Of course, managing and protecting data, especially sensitive data, is critical in all workplaces. Recent research shows that organizations experience about one fraud event per week.

The cost of a data breach includes the time spent dealing with it, damage to the firm’s reputation, the possibility of identity theft, and there may be fines.

So how do you prevent data breaches from occurring in the first place? Implement sound information security policies and procedures:

Designate a Chief Information Security Officer (CISO) – research has shown this can reduce the cost of a data breach by 35% per compromised record.
Form a data security team with members from key departments such as information technology, compliance, human resources, legal, and communications.
Maintain a running inventory of all information that needs to be protected.
Schedule on-going security training for employees – recent research shows negligent employees are the top cause of data breaches.
Partner with companies that are committed to information security.

Find out more about how you can protect your organization and make the best choice for secure document destruction

.

7 Reasons to Implement a Clean Desk Policy

Thu, 30 May 2013 13:34:15 GMT

Have you implemented a Clean Desk Policy in your workplace?

It directs employees to keep their desks and work space clean and uncluttered at all times with a specific emphasis on protecting sensitive information.

To best protect your company's sensitive data, your workplace should provide lockable storage as well as secure settings and passwords for electronic devices. All employees should be encouraged to protect their cell phones and other storage devices, and any printed and visible information, when they leave their desks – even if it’s just for a coffee. Of course, when information is no longer needed, it should be placed in a locked console for secure shredding.

A Clean Desk Policy helps protect your company in so many ways including:

Privacy law compliance. In Canada, for example, PIPEDA legislation requires organizations to safeguard personal information; in the U.S.A, there are several federal privacy laws such as FACTA, HIPAA / HITECH, Gramm Leach Bliley and Sarbanes Oxley.
Fewer data breaches. When private information is protected, there is less likelihood of information theft, fraud or a security breach.
Reduce opportunities for dishonesty. Leaving sensitive information unattended and visible may attract prying eyes.
Saves money. Encouraging ‘digitized’, not printed, documents cuts paper use, etc.
Positive space. Uncluttered work spaces make a good impression on employees and any visitors.
Saves time. Research shows that many employees waste time searching for information... a tidy space will help.
May save your sanity. ‘Organized’ employees spend less time stressing out because they can’t find something.

A Clean Desk Policy should be a written document that is communicated to all employees. Here’s how to establish a clean desk policy at your work place.

Employee Alert: How to Manage Information Security On Holiday

Thu, 23 May 2013 10:10:36 GMT

It’s not surprising that only eight percent of workers surveyed in a recent study said they completely disconnect from technology when they’re on vacation. But what is surprising is how unreliable these workers are when it comes to keeping company data secure out of the office.

The iPass 2012 Mobile Workforce Report (Q3) shows that many of the workers do not have data security features on their smartphones, tablets and other devices. Furthermore, many are taking steps to bypass their company’s IT department to access corporate data on these devices.

This increases the risk of data breaches but worse, it shows that employees are not up-to-speed on information security.

Now that employees are looking forward to their summer vacations, it’s a good time to remind them to keep private information private when they are working off-site. Here are some guidelines to consider sharing:

Assume all business documents are confidential – and should be removed from the office only if necessary.
Have a shred-all policy to ensure all documents are securely destroyed whether you’re in the office – or at the cottage. Your secure destruction provider may supply confidential disposal bags so documents can be returned for secure shredding and recycling.
Install encryption technology on all storage devices.
Be sure your security settings as well as passwords and firewalls protect devices with internet connections.
Avoid printing confidential information from laptops or other computers.
When working in a public area, be conscientious about protecting devices and information.

For more information, check out our newsletter that discusses the security risks around working from home.

HIPAA – Affects Small Businesses Too!

Fri, 17 May 2013 13:03:57 GMT

Did you know that 94% of healthcare organizations in the US have experienced a security breach within the last 2 years? Earlier this year, the Hospice of North Idaho exposed over 400 patient records due to the loss of a laptop containing the information. The US Department of Health and Human Services (HHS) has announced that it had reached a settlement with the Hospice of North Idaho (HONI).

“So what’s the big deal?” you may ask. Businesses get caught everyday not complying with laws and regulations, so much so that we seem to just shrug it off. But in this case, we’re talking about a small health care entity that due to their own carelessness was forced to pay $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of the 1996 HIPAA security rule. So it’s clear that the rules apply to every health care entity – large and small.

This may not seem like a big deal, but a recent study conducted by IPSOS Reid Research indicated that over half of small business didn't think a breach would occur and if it did, it wouldn't really have much effect on their organization. This is a perfect example of the negligence that happens in businesses every day. In this case, the Hospice of North Idaho reported to HHS that an unencrypted laptop computer containing the ePHI of 441 patients had been stolen in June of 2010. During the investigation HHS discovered that HONI had not conducted a risk analysis nor had it taken steps to develop policies and procedures to address mobile device security as required by HIPAA Security rule.

I believe that most businesses adopt the attitude ‘that won’t happen to us’ – as indicated by research and HHS will most likely chase the big targets. After all, they are probably most at risk due to the number of employees and number of mistakes likely to be made. The Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report an impermissible use of disclosure of unprotected health information or a “breach” of 500 patients or more to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches, like the one at HONI, must be reported to the Secretary annually.

So, be warned. HIPAA rules are not just for large entities and it requires that breaches be self-reported. Not doing so and waiting to get caught can mean a very expensive fine and damage to your reputation and brand. For more information on legislation, check out our HIPAA and HITECH podcast.

New ‘Glamorous’ Jobs Put A Different Spotlight on Information Security

Wed, 08 May 2013 13:23:28 GMT

‘Computer Crime Investigator’;’ White-Hat Hacker’; ‘Incident Responder’… it sounds like a new season of television shows.

In fact, these are job titles in the information security industry and they’re attracting lots of attention.

A recent report from job market expert Burning Glass Technologies shows that the demand for cyber security professionals over the past five years grew 3.5 percent faster than demand for other IT jobs, and about 12 times faster than for all other jobs.

This increase in demand can be attributed to the creation of many new positions within the information security industry. Here’s a quick look at some of them:

Computer Crime Investigator: Recovers deleted, hidden or encrypted data from hard drives for police.
Penetration Tester: Also known as white-hat or ethical hacker, tries to penetrate systems to find vulnerabilities and help a company improve security.
Incident Responder: Handles the aftermath of a security breach incident.
Information Security Analyst: Assesses policies and makes recommendations to improve them.
Network Security Engineer: Oversees computer network security systems.
Forensics Analyst: Identifies how a cyber crime occurred, and who or what was responsible.
Security-Savvy Software Developer: Helps create secure software that is free from vulnerabilities.

The soaring demand for information security professionals is perhaps signaling an important shift in the industry as workplaces put a lot more money and effort into protecting their confidential information against security breaches and fraud.

Check out our report for more information around the state of the information security industry.

I Wanna be a “Shredding Guy”

Thu, 02 May 2013 12:40:59 GMT

I am pretty sure that most folks don’t grow up dreaming of owning their own paper shredding company one day or of being a “Shredding Guy”. Mom and Dad probably wouldn't have understood it or encouraged it, after all, isn't a doctor or a lawyer a way more important job to which one would aspire?

It seems everywhere you turn; more folks are getting into the game of information destruction and why shouldn't they? Information security has become a hot topic and there is definitely a need out there to help people and companies keep their information secure. So it seems around every corner, people are buying trucks, sticking shredders in them and all of a sudden….you’re a “Shredding Guy”. Easy right? WRONG!

Protecting other people’s confidential information requires a significant investment to do it right. First off, you need the right equipment. Secure trucks with all the right locking mechanisms are expensive and specialized. Recently I came across a fellow who jumped into the game with a recycled freezer truck that on the surface looked pretty secure. But on closer inspection, it was clear that this truck was built to keep ice cream frozen not confidential information secure. Next you need a commercial grade shredder that cross cuts the paper into confetti-like pieces and is capable of shredding not just paper but other forms of media as well.

To top it off, you need knowledge and experience to gain the trust of your customers. Do you really think they are going to trust you with an ice cream truck and a used strip shredder you bought on Craig’s list? By the way, how long have you been doing this? You need some time in the “information destruction” saddle to call yourself an expert. Being a shredding guy may look easy but this industry is built on trust – trust you have the equipment and expertise to ensure the confidentiality of your customer’s information.

Hey Mom and Dad….look what I did. I went out and became a shredding guy and I think that’s a pretty noble cause – don’t you?

The ‘Paperless’ Office Myth and Document Security

Thu, 25 Apr 2013 13:37:41 GMT

A 2011 study of U.S. managers whose responsibility included handling contracts for their companies showed that even though 87% of them said their office was mostly digital, only 2% had stopped using paper in their business transactions involving contracts and 18% used digital methods only when signing contracts.

That’s a lot of paper not being accounted for!

Paperless office predictions began in 1975 when personal computers were first being introduced. At that time, a story in Business Week proclaimed that most record-handling would be electronic by 1990.

Of course, that never happened.

Fast forward to 2013 and cloud computing, electronic document management, electronic signatures, and other technology like e-readers and tablets, are all expected to help decrease the use of paper. However, the global demand for paper is still higher than ever, exceeding 400 million tons last year.

While some of that can be attributed to global population growth and subsequent demand, it’s also clear that certain printed documentation has a place in the workplace such as legal documents, contracts, medical papers, etc. At the same time, many people still like to handle paper.

What industry experts are most concerned about though is that some workplaces may operate as though they are ‘paperless’ resulting in minimal attention to document security. This puts business at a higher risk of security breaches and fraud.

The bottom line is this: paper still has a place in the workplace and along with it, a comprehensive information security policy that includes secure storage and destruction.

For more information on maintaining on information security, check out our factsheet on how to protect your workplace from security breaches and fraud.

18 Ways to Go Green in the Office

Fri, 19 Apr 2013 09:45:30 GMT

With Earth Day just around the corner, we've developed a list of 18 green initiatives that can help your business “go green” while ensuring your information remains secure:

REDUCE ENERGY USE

Switch to energy efficient light bulbs and fixtures.
Adjust the thermostat – down in winter and up in summer.
Use energy efficient photocopiers and printers.
Power down the office at the end of the day.

REDUCE WASTE

When information security is not an issue, use both sides of paper for photo-copying.
Encourage other paperless office strategies – i.e., converting documents into digital form.
Involve employees – introduce ‘litterless lunch’ days (non-plastic reusable containers).
Stock the lunchroom with re-usable mugs.
Introduce a green bin program in your organization’s lunch room.

CHOOSE GREEN

Switch to suppliers that offer sustainable products and services.
Rethink packaging of products you make or receive – less is more.
Improve air quality with indoor plants and a fragrance-free policy.

GREEN – OR NO – COMMUTES

Encourage employees to carpool... or walk, bike or take public transportation to work.
Use videoconferencing when possible instead of long distance in-person meetings.

RECYCLE

Recycle e-waste such as mobile phones and printer cartridges. But to avoid the risk of a security breach, computer hard drives and other data sensitive e-media must be securely destroyed before recycling.
Purchase office furniture and furnishings such as mats and carpeting made from recycled materials.
Use recycled paper products.
Partner with a reliable document destruction company so that all documents that are no longer needed are safely shredded and recycled.

For more information and tips around making your business greener and more secure,check out our factsheet.

Protect Patients: Update Your Information Security Policies Now

Fri, 12 Apr 2013 14:20:08 GMT

Healthcare organizations need to take a hard look at their information security processes and put more current policies and procedures in place. Stat!

The Third Annual Benchmark Study on Patient Privacy and Data Security by Ponemon Institute showed that data breaches in this sector are continuing to increase. Over 90 percent of healthcare organizations had at least one data breach in the past two years; almost half of respondents had more than five. Not only is the frequency of security breaches rising but the average cost of dealing with information breaches is also continuing to rise. In the Second Annual Study in 2011, the Ponemon Institute stated the average was at $2.2 million compared to $2.4 million.

One problem, says Rick Kam, president of ID Experts who sponsored the study, is that healthcare organizations have not kept their information security processes up-to-date. In fact, many companies continue to follow the same processes they have always followed.

Today, BYOD (Bring Your Own Device) programs and mobile device usage in the workplace are two of the biggest – and newest – threats to patient data. Eighty-one percent of organizations allow employees to use their own mobile devices to access patient information. Sixty-nine percent don’t secure medical devices that contain protected health information of patients.

To fully commit to information security, industry experts recommend:

• Re-structured information security reporting to senior management;
• On-going review and updating of policies (adding mobile devices and other IT);
• Pre- and post-breach processes;
• Regular security compliance assessments;
• Partnering with a reliable information security company for secure data destruction services.

For more information on protection patient information, click here.

4 Everyday Technologies that Can Put Your Company at Risk

Thu, 04 Apr 2013 14:33:47 GMT

Technology has automated work processes in so many beneficial ways but it has also created problems, the most critical being the risk of information security breaches.

Here’s a look at four of the most common IT tools in the workplace, the security risks they pose, and how a company can reduce the risk of breaches.

CELLPHONES – According to Verizon researchers, lost or stolen mobile devices are a huge security risk. The SIM (Subscriber Identification Module) card inside every phone contains company and personal information. How to reduce the risk: Password protect (encrypt) mobile devices. Also, before disposing of any cell phone, remove the SIM card and destroy it.

COMPUTERS – Even if the hard drive has been wiped, ‘improper disposal’ of computer hard drives create security threats (information thieves can still restore the data). How to reduce the risk: Partner with a reliable company that offers secure hard drive and other e-media destruction with an itemized Certificate of Destruction for your files.

EMAIL – Accessing personal email at work through web-based email accounts increases the risk of breaches because hackers are penetrating firewalls. How to reduce the risk: Develop an Internet usage policy and educate staff about the dangers of visiting questionable sites and opening unknown attachments.

PORTABLE STORAGE DEVICES - Memory sticks are often used for bringing work home. But employees may lose these devices or unknowingly pick up viruses from their home PCs. How to reduce the risk: Encrypt the devices (or some workplaces ban them altogether), and educate staff about their use.

For more information about information security and what business are doing to remain secure, click here.

Printers: How to Fix This Security Breach Risk

Thu, 28 Mar 2013 14:33:19 GMT

How many times have you seen unclaimed documents in the output tray of an office printer?

That’s just one of the ways office-based printers can put potentially sensitive information at risk.

Networked multi-function printers (MFPs) are also a concern. They contain hard drives for queuing print requests from computers as well as for copying, scanning, emailing and faxing documents. The document images are stored for indefinite periods of time on the hard drives, which means they could end up in the hands of information thieves.

While there are ways a company can protect itself, a recent report by research and analyst company Quocirca shows that less than one-quarter of polled businesses had implemented print security initiatives even though 63% had experienced one or more print-related data breach.

How can a business better manage printing security risks? Here are some important tips:

Create a formalized printer security plan.
Talk to your printer manufacturer about options that protect the printing environment. For example, security settings to encrypt images.
Implement secure printing – called pull printing – across all devices so documents are released only upon user authentication using a PIN code, smart card or biometric fingerprint recognition.
Track print, copy, scan and fax usage with a secure printing tool. An audit trail will identify misuse and waste.
Ensure employees receive on-going training.
Monitor the print infrastructure regularly.

Printer security needs to be an important part of every company’s information security strategy. For more information on protecting your business, click here.

Do Your Information Security Policies Go Too Far – Or Not Far Enough?

Thu, 21 Mar 2013 15:23:28 GMT

Can information security policies go too far?

How about banning the use of cell phones?

A cell phone ban was announced after a security breach involving a phone took place at Jackson Health System in Florida. A former hospital volunteer used his cell to take photos of over 1,000 patient records (and then allegedly sold the information to someone who used it on fake tax returns).

Now a new policy bans the use of cell phones by volunteer workers. Critics say while volunteers won’t be able to photograph sensitive information, they may miss emergency calls or texts too.

What about firing an employee over a data breach... does that go too far?

When an employee with a company that processes prescription transactions for the Utah Department of Health, lost a USB drive filled with patient information, she was fired within a week. The employee stated that they didn’t know copying personal health information (from several thousand patients) onto a thumb drive was against company policy. Furthermore, the confidential information was not encrypted.

Accountability seems to be at the heart of both these examples. A workplace has to fully support and implement information security policies based on best practices. By doing so, it’s fair to expect employees to follow protocols.

Here are some information security policy guidelines to consider:

Create a culture of information security.
Introduce compliance guidelines that include fair consequences for violating rules.
Improve on-going mandatory employee training as a reminder of what is expected.
Consider banning devices that can record or photograph – in certain departments such as R&D.
Have all employees read – and sign – that they acknowledge and understand information security protocols.

Learn more about how to protect your business from security breaches.

Data Breach Security: Here’s Why It Needs Your Attention

Fri, 15 Mar 2013 10:27:02 GMT

How long, on average, do you think it takes a company to discover a malicious security breach?

A few hours? A few weeks?

Try almost three months, according to a new global report by Ponemon Institute.

The 2012 Post Breach Boom report polled over 3,500 IT and IT security professionals whose organizations had suffered at least one data breach in the past two years. The purpose was to look at how the data breaches were dealt with and how prepared organizations were to prevent them. Based on the information that was uncovered, researchers found a lot of worrisome trends in the area of information security.

Despite all the attention given to the importance of information security, data breaches have increased by over 50% in both severity and frequency, and organizations are unprepared to detect or resolve them. In fact, only 43% of respondents said their organizations have the tools, personnel and funding to prevent data breaches.

In situations where a malicious breach has been discovered, it takes an average of over four months to address it. In one third of cases reviewed, the data breach was detected by a third party not the company’s business security system.

Breaches were also divided into ‘malicious’ breaches, which involve the theft of information by an external hacker or criminal insider, and ‘non malicious’ breaches, which are caused by a system error, employee negligence or a third-party.

While all breaches cost companies a lot of money, they also damage reputation, brand value and image and result in lost time and productivity.

How safe is your company? Take this Security Risk Assessment Survey to find out.

10 Ways to Keep Your Data Safe

Fri, 08 Mar 2013 09:18:01 GMT

Verizon’s 2012 Data Breach Investigations report shows that data thieves are still making headway in workplaces around the globe.

The report focuses on 855 incidents in 2011 that resulted in 174 million compromised data records.

The compromised records were the result of several threats including hacking, misuse and physical actions such as theft.

Protecting sensitive data is only becoming more important for companies. Data thieves are targeting hard drive and eMedia more than ever due to the large value of confidential information contained in them.

Here are some tips to keep in mind:

Make information security a part of your corporate culture including standardized policies and procedures, proper on-boarding as well as regular training

Have IT develop information security guidelines (i.e., password protection, email security, encrypt files) and be sure employees receive on-going education.

Inventory all computers to have a record of all the sensitive information they contain.

Isolate, if possible, sensitive information on the fewest number of computers.

Don’t store sensitive information that is not required.

Stay on top of relevant privacy laws and legislation to ensure your company is always in compliance.

Put procedures in place that ensure those employees who leave the company or change departments can no longer access off-limits information.

Ensure that contractors and service providers are familiar with your security procedures.

Don’t stockpile old hard drives or other electronic devices that store data.

Dispose of old hard drives and e-waste securely. A hard drive eraser does not guarantee that data can’t be restored. Destruction is the most effective way to permanently render data files inaccessible. Partner with a trusted e-media destruction company that has a secure chain of custody to ensure proper destruction.

Click here for more information on hard drive destruction.

What is the Value of a Used Hard Drive?

Fri, 01 Mar 2013 08:54:10 GMT

“We live in a world where personal and company information is a highly valuable commodity,” stated Christopher Graham, U.K. Information Commissioner, in response to findings last spring that more than 1 in 10 second-hand hard drives out of a total of 200 investigated hard drives still contained the original owner’s confidential information.

The Information Commissioner’s Office had ordered an investigation of hard drives, USB sticks and cell phones sold at internet auction sites and trade fairs to see if any data remained on them. Sure enough, 34,000 files on the 200 hard drives, 20 USB sticks and 10 cell phones contained personal or corporate information including bank statements, passports, birth certificates, employee information, and tax and medical information.

Of course, this kind of data is a gold mine for data thieves, whether they’re using data recovery software on devices they’ve stolen from garbage bins or landfill, or buying the data online through hacker forums and other websites. While the cost online to obtain this information is astonishingly low - according to a blogger on Naked Security, a hard drive containing information from one million bank customers was listed on eBay for £35 (about $55) – what data thieves do with the information afterwards is where things really start adding up.

One of Ponemon Institute’s most recent studies shows that data breach incidents cost U.S. companies on average $204 per compromised customer record. The average cost on a per-incident basis is around $6.75 million.

The best way to avoid a data breach is to securely destroy your hard drives and avoid stockpiling hard drives and other types of eMedia. For more information about secure hard drive destruction services, click here.

Portable Hard Drive Creates Permanent Problem

Fri, 15 Feb 2013 14:54:22 GMT

In a recent massive data breach in Canada, a portable hard drive containing personal information from over half a million students went missing from a federal government agency office on November 5, 2012. Despite the severity of the problem, staff did not alert the department’s security officer until November 28, 2012 and then took until January 11, 2013 before advising the public.

Employees at the agency – Human Resources and Skills Development Canada – must have known that this was a serious security breach. The hard drive contained the names, social insurance numbers, birth dates, contact information, and loan balances, of 583,000 Canada Student Loans Program borrowers.

While investigations continue and those affected are receiving information about protecting themselves, the information breach has raised so many red flags once again around workplace policies and procedures.

The Canadian Human Resources Minister has called for stricter protocols. Below are some best practices to implement in your workplace to avoid data theft:

Mandatory training on information security for employees;
Ban the use of portable hard drives in the workplace;
Unapproved USB keys are not allowed to be connected to the computer network;
Perform regular clean-outs of storage facilities and avoid stockpiling unused hard drives
Destroy all unused hard drives using a third-party provider who has a secure chain of custody

Remember also that crushing or shredding hard drives and other media is the most secure way to permanently destroy data stored on electronic media when it is no longer needed.

CFO’s Role in Information Security

Fri, 08 Feb 2013 11:09:20 GMT

The importance of information security is changing a lot in the workplace... and nowhere is that more clear than in the CFO’s office.

Data protection used to be the responsibility of IT personnel and the Chief Information Security Officer (CISO).

“But the surge of data breaches has forced finance departments to increasingly collaborate with IT departments for developing security policies through to dealing with data loss incidents,” noted an online post at Computerworld.

As one blogger put it, the Chief Financial Officer’s (CFO) role is expanding to include creating and analyzing business strategies… and what’s on the top of that pile these days?

Data security is the number one issue in the boardroom, according to an annual survey of general counsel and corporate directors of public companies by FTI Consulting and Corporate Board Member.

Of course, the CFO has always been one of the first people in a company to be contacted when a data breach occurs, and they’re usually involved in tasks that follow such as reporting and public notification requirements, impact mitigation, PR fall out, the legal process and risk assessment.

But with the cost of data breaches continuing to rise – the latest numbers published by the Ponemon Institute show data breach incidents cost U.S. companies $194 per compromised record – it is just as common today for the CFO of a company to be involved in the planning and purchasing of security solutions too.

For more information, read our Information Security State of the Industry Report.

BYOD: Take Control and Decrease Information Security Risk

Thu, 31 Jan 2013 15:25:50 GMT

Does your workplace have a BYOD policy?

If so, how closely is your organization managing this policy? The new trend of BYOD, ‘Bring Your Own Device’, might be convenient for employees, but it’s also adding additional risk of information security breaches for workplaces.

BYOD refers to employees using their own smartphones, tablets, PCs, and other mobile devices, for work. Most corporations – 91% according to a 2012 study by Harris Interactive – allow removable storage devices on their internal networks.

The problem is BYOD multiplies the number of networks, applications, and end points that company data may be accessed through. The information security risk is there even if employees just use their personal smartphones to stay on top of emails. Harris Interactive found that 25% of employed U.S. adults have been a victim of hacking on a personal device – which also means that all of the confidential information within their corporate email was also at risk.

So it should come as no surprise that information security experts recommend all organizations – large and small – become much more proactive about managing the use of BYOD devices to access work data.

Here are general guidelines to reduce the risk of data breaches:

Form a BYOD committee.
Create BYOD policies, such as limiting the amount of client information in emails, mandating a start-up password and inactivity timeout, and having data encryption.
Work with IT professionals to put security policies in place.
Work with HR professionals to educate employees about these policies.

Dealing with BYOD is about all protecting sensitive information and your business.

Is Your Business Trustworthy? Your Employees Are Key

Thu, 24 Jan 2013 12:47:23 GMT

One day soon you may see a company advertise the fact that it’s ‘data breach free’!

It’s not as crazy as it may seem.

A recent survey by YouGov shows that 77% of consumers said they would choose to buy from a company that had not had a data breach or leak – over one that had.

Of course, it’s not a big surprise that consumers have lost trust in business and government to safeguard their personal information. The number of reported data breaches from both public and private sectors has skyrocketed in recent years.

But here’s the real survey zinger. It also showed that many of the respondents knowingly take risks with potentially sensitive data when they are on the job.

Of the 2,061 people who were surveyed and who sometimes work away from their office, over half had risked committing a breach by being careless with sensitive information (for example, using unencrypted USB sticks or forwarding emails to personal addresses). They said they either outright ignore their company’s security policies or they‘re just not aware of any.

Whatever the reason, it’s important for all workplaces to have an information security program… and to ensure that their employees buy in. Here are some tips:

Create a workplace culture that values and respects confidentiality and privacy.
Develop an information security strategy that complies with privacy laws and legislation.
Keep employees involved in information security through on-going education and communication.
Partner with an information security company that disposes of private information in a safe and secure manner.

Check out our factsheet on “How You Can Protect Your Business from Security Breaches and Fraud” to ensure you’re company is staying secure.

7 Ways to Protect Your Workplace from Employee Theft

Fri, 18 Jan 2013 10:55:29 GMT

Have you seen all the shocking employee theft statistics?

The U.S. Chamber of Commerce, for example, estimates that theft by employees costs American companies $20 billion to $40 billion a year.

The chamber also reports than an employee is 15 times more likely than a non-employee to steal from the company they work for.

In fact, 75% of employees have stolen at least once from their employer according to Employee Theft Statistics and 37.5% of employees have stolen at least twice.

Also, 33% of business bankruptcies are caused by employee theft.

So what’s being stolen? Employees steal money, time (they don’t work the hours they say they work), supplies, company property / merchandise, and confidential information, which is a data breach and considered the most damaging of all forms of theft.

Here are 7 theft prevention policies to safeguard your workplace:

Create a good workplace environment lead by senior personnel who demonstrate their commitment to all policies.
Include background checks in your hiring procedures.
Educate employees about anti-fraud policies.
Limit employee access to supply and storage areas.
Protect confidential information by limiting access to files and securely shredding your paper when it is no longer needed.
Set up an anonymous reporting system – Statistics Brain shows that employee tips reveal over one quarter of all internal fraud cases.
Perform regular audits throughout your workplace. Audits have revealed 18.8% of fraud cases.

For more information, check out The Human Resource Guide to Creating a Total Security Culture.

5 Workplace Security Tips for a more secure 2013

Fri, 11 Jan 2013 12:23:56 GMT

Statistics show that one billion records were compromised in the last eight years costing U.S. businesses $48 billion per year.

Below are some of 2012’s most common security breach risks amongst large and small business last year:

Over 50% of c-suite executives in the U.S. stated they didn’t use a professional shredding service. Discarded documents often end up in unsecure places such as blue boxes or the garbage which can lead to potential security breaches.

Security Tip: Partner with a reputable shredding company that has a secure chain of custody including locked consoles for documents that are no longer needed.

Last year, over half of businesses in the U.S. stated they felt erasing or deleting electronic data when it is no longer needed is a secure method. Many businesses are not aware that these methods of disposing data can be easily retrieved by identity thieves using simple software.

Security Tip: Ask your shredding provider about their e-media services. Hard drives and other types of media should either be shredded or crushed to ensure the information is completely destroyed.

50% of small businesses last year stated they use an in-house shredder. Not only is this method time consuming and expensive, however it often involves less secure practices such as strip-shredding and storing documents in unlocked areas.

Security Tip: Select a shredding company that uses secure document destruction consisting of cross-cut shredding, locked consoles and a secure chain of custody.

46% of small businesses in 2012 said they do not have someone in charge of information destruction at their workplace. These can lead to weaknesses within your information security plan.

Security Tip: Create a data security program with someone in charge. If you are lacking in resources, this service is often offered by shredding specialists.

In 2012, only 27% of businesses stated they train their staff on a regular basis on secure information handling and destruction. With workplaces constantly changing due to organizational shifts and turnover, not holding regular training can cause knowledge gaps within your staff ultimately leading to unsecure practices.

Security Tip: Initiate regular staff training on information security. Have training material on hand for ongoing support in between training sessions so when new employees begin, they are able to obtain this information.

For more information on information security and staying secure during 2013, read our State of Information Security Report.

2012’s Dismal Data Breach Record – How to Better Protect Your Business’ Information

Fri, 04 Jan 2013 12:53:37 GMT

Data breaches are all too common – and the actual numbers are mind boggling.

Some of the top breaches over the past year include Zappos whose internal network was hacked exposing 24 million records including names, addresses, and parts of credit card numbers and encrypted passwords. Six and a half million user passwords at LinkedIn were breached. And, seven million consumer records including 1.5 million credit cards managed by Global Payment Systems were exposed.

But no less distressing was the employee at a South Carolina government office who was caught emailing himself 228,435 patient records; the fact someone at the Indian Internal Medicine Consultants lost a laptop – and exposed 20,000 patient records; and the often-heard scenario of confidential medical information being found in a dumpster... one example was 4,083 pieces of patient information in Virginia.

Theft, hacking, public access, unauthorized access and improper disposal are the main causes of data breaches.

Why not start off the year by committing to better protect your clients, patients, customers, employees and yourself. Because information security is not just good business practice, it’s the law.

Here are the key principles of a data security plan according to the Federal Trade Commission:

Know what confidential information your business maintains.
Keep only the information you need for your business.
Make sure sensitive information you keep is protected and stays private.
Create a plan if a security breach occurs.
Partner with a reputable shredding company.

Check out the following fact sheet on how to protect your business from security breaches and fraud.

5 Tips to Keep your Information Secure during the Holiday Season

Thu, 20 Dec 2012 14:09:22 GMT

Everyone loves this time of year... especially the humbugs that bank on information security going off track because of the holidays.

But that’s not a done deal.

Here are 5 ways the holidays can put your information’s security at risk – and what you can do to avoid problems.

Shopping: It’s hard to stop employees from searching online for gift ideas. What you can do however is prohibit transactional activities by installing firewalls and safeguards to ensure you are protecting the workplace from nasty viruses, etc., that might tag along.

Office Events: When planning holiday luncheons or events, go off-site or choose an enclosed area like the cafeteria that is away from workspaces. Unnecessary employee access to confidential information is a leading cause of security breaches. In any event, work areas should always be void of any sensitive information and computer monitors turned off. Implementing a Clean-Desk Policy for your office ensures that employees are always keeping this top of mind.

Just a Skeleton Staff: Despite the holiday slowdown, it’s important to continue your regularly scheduled maintenance duties, especially shredding services. Consoles that fill up over the holidays can put your information at risk of breaches.

Taking Work Home: With some staff accessing the business network from home, it’s imperative to have up-to-date anti-virus software. Remind employees to be extra cautious with sensitive documents they take home too.

New Year’s Resolution: Information security should be part of company culture. Update information security policies and procedures regularly, schedule on-going employee education, and if you don’t have one, introduce a shred-all policy in the workplace so all documents and information are securely destroyed when they’re no longer needed.

Happy Holidays!

How to Dispose of Medical Records Properly

Fri, 14 Dec 2012 14:27:45 GMT

Why is it that we never see the doctors on television, like Dr. House, dispose of their patient’s health information in locked consoles?

Maybe if we captured this on TV, it would help improve our record of protecting patient information because it’s not looking very good.

Since 2009, medical information from almost 160,000 patients has been breached due to improper disposal. In one report, a network server was thrown out with the trash and in others; paper records and x-ray film were not destroyed using secure methods.

Data breaches are now being brought to the public’s attention because any breach that affects at least 500 patients now has to be reported – and are publicly posted – to the Department of Human and Health Services website.

There are several things healthcare facilities can do to ensure they are disposing of information securely. Here’s a checklist of preventative measures medical workplaces should keep in mind when developing their security strategy:

Create information security policies and procedures for your facility.
Keep up to date on your industry’s laws and legislation (such as HIPAA, Health Insurance Portability and Accountability Act).
Train employees on proper disposal of confidential information.
Develop a shred-all policy – so that all hard copy and e-documents that are no longer needed are securely destroyed.
Be sure your information security company provides locked consoles, on-site shredding in secured trucks and a Certificate of Destruction after every shred.

For more information on preventing medical identity theft, check out the following white paper. Protecting medical information is the law – and that means disposing of it properly too.

Happy Thanksgiving – A Day of Thanks and Risk

Thu, 06 Dec 2012 09:47:32 GMT

It always starts out with good intentions. “Instead of spending profit on buying confetti for the parade, let’s use the shredded paper we get from our shredder! It’ll be cheaper, it can be recycled and it’ll look just like the real thing.”

Sounds innocent enough….right? WRONG When companies choose to take shortcuts and find cheaper ways to dispose of their confidential information – even with the best of intentions, it is problem just waiting to happen. That’s exactly what happened recently at the Macy’s Thanksgiving Day parade.

The parade features inflated balloons of cartoon characters, marching bands and floats traveling down Manhattan’s West Side to Herald Square, the traditional home of the department store, Macy’s. Part of the festivities includes tons of confetti showered over the crowds from windows and rooftops. Macy’s says it uses “commercially manufactured, multicolored confetti, not shredded paper.” But last week, parade goers were in for a surprise.

Police in Nassau County are now investigating how some of their confidential records including social security numbers and even details about a motorcade for Mitt Romney, then the GOP presidential candidate, ended up as confetti scraps raining from buildings on the Macy’s Thanksgiving Day parade. Some of the parade goers picked up pieces of the shredded paper and found that the strips of paper contained confidential police records and information. There were phone numbers, addresses, social security numbers, license plate numbers, even incident reports from police.

Whether this happened by mistake or whether someone made the decision to add the confidential shredding to the rest of the confetti, it just proves that you cannot be too careful when it comes to destroying and disposing of confidential materials.

In this case the confidential shredding was shredded into strips of paper. It’s important to understand that strip shredding can be re-assembled and it is the least desirable way to destroy confidential information. Shred size is a matter of security and the smaller paper is shredded and the rougher the edges, the better. When looking for a shredding company, choose a third party that cross cuts the paper into small confetti-like pieces that are impossible to re-assemble and ensure confidentiality.

Document Scanning: 6 Key Questions Businesses Must Ask

Thu, 29 Nov 2012 11:32:21 GMT

Digitizing documents you need to keep is an important part of your secure information solution.

Here are 6 key questions to ask your information management expert about the process.

How much will it really cost? Some companies charge per image (page) and may also charge extra for set-up, file preparation and indexing, delivery, etc. Get those details in writing.

Is the imaging process compliant with privacy laws and legislation? This is very important. During the document scanning process, documents should be securely tracked and managed and then destroyed.

Does everything have to be scanned? This can be costly. A complimentary security assessment by the secure information expert would be most helpful to determine what must be imaged, shredded and stored.

Where will scanning be done? To avoid any disruption in your workplace, it’s recommended that documents are picked up by GPS-tracked transport and taken to a secure record center for processing.

How are documents destroyed following the scanning process? Shredding is the most secure method of document destruction. You need to know where this will take place and by whom.

How will data be returned? Find out if you will receive encrypted CDs, DVDs or hard drive for upload to your system, secure FTP or upload to your Cloud storage solution.

At the end of the day, the information your company keeps – and needs to digitize – is important, and it only makes sense to partner with a professional and secure information management company that you trust.

Andrew Lenardon
Director of National Accounts Indirect Solutions for North America at Shred-it

With several years experience in the industry, Andrew offers a wealth of secure information destruction knowledge. In his role, Andrew leads a team of professionals that help both Healthcare and Enterprise organizations improve their information security and ensure they are complying with industry regulations.

Who is at risk for identity theft? Everyone!

Fri, 23 Nov 2012 08:51:45 GMT

It’s likely you’re aware of the importance of information security practices in the office and are probably already taking precautions at your workplace to ensure that you are protecting your business’ confidential information and your customers’ identities. But what happens when you leave the office? Although you may work a 9-5 schedule, identity thieves work around the clock – even at home!

You’ve probably read the stories in the news or online…

A four-year-old starts getting suspicious mail, like pre-approved credit cards that are normally sent to adults.
A high school graduate applies for his or her first credit card – and is denied because of a bad credit rating.
A couple receive a call at night ‘alerting’ them about a stolen credit card... all the caller needs to do is confirm sensitive financial information including address, credit card and Social Security numbers.

As many as 9 million Americans become identity theft victims each year, according to the Federal Trade Commission. In 2011, more than 19,000 cases of child identity theft were reported. According to the National Crime Prevention Council, fraudulent telemarketers direct up to 80 percent of their calls to seniors.

Identity theft prevention is the best way to fight back. Here are a few ways to protect yourself:

Limit the personal information you carry around to only those pieces that you require on a day-to-day basis.
Ensure that you are aware of the person or organization you are speaking to over the phone before providing personal information.
Always securely dispose of personal information by shredding documents before they are recycled.
Research any social networks or secured sites you are planning on joining before providing your personal information.

For more information on Identity Theft, check out our fact sheet for tips on how to protect yourself.

94 Million Reasons Why Government Needs to Be Accountable

Fri, 16 Nov 2012 09:33:31 GMT

Government in the U.S. is doing a really lousy job at protecting Americans’ personal information.

A recent analysis of government breach data showed that 268 data breaches in government agencies over a three year period put more than 94 million personally identifiable information records at risk.

So, from January 1, 2009 to May 31, 2012, 94 million social security numbers, driver’s license numbers, financial account numbers, medical records, citizen or immigration data and several other highly confidential pieces of personal information were exposed.

The report was performed by Rapid7, a provider of security risk intelligence headquartered in Boston, and it included the reasons for why the data breaches had occurred:

Unintended disclosure (this means information was publicly posted, mishandled, or sent to the wrong party via email, fax or mail);
Cyber attacks;
Insider breaches;
Physical loss (paper records were lost, discarded or stolen)
Portable and stationary computerized devices (that were lost, discarded, or stolen).

The report also showed that the numbers are not getting better, they’re getting worse. There was a 50 percent increase in the number of compromises from 2009 to 2010. Even worse, this number tripled between 2010 and 2011.

No wonder industry watchdogs are seething… and demanding stronger nationally mandated laws and controls with regular monitoring as well as serious penalties for those who don’t abide, even governments.

Click here to read more information about information security best practices and document shredding for government offices here.

Scanning Documents: The No-Pain Way to Start

Thu, 08 Nov 2012 13:53:34 GMT

Everyone’s heard about how the world is going paperless... but there’s a long road ahead. Consider that businesses in the U.S. are reportedly storing almost 4 trillion paper documents and that number continues to grow every year.

How can a business ease into the process of scanning important documents without making it a major and costly initiative?

Regard digital document management as a way to free up office space and document storage budget – and solve workplace issues.
Look for opportunities to include document imaging in an existing budget. For example, piggy-back a scanning project with a move or consolidation of office space.
Introduce electronic document management as a business solution for different departments in the company. For example, digitized information will simplify the process of finding and sharing information for customer service.
Apply the scanning process as an information management strategy - destroying obsolete documents and imaging those that must be kept.
Speak to a trusted supplier first. For example, your document destruction supplier may also provide scanning services and be an expert at keeping confidential documents confidential.

It won’t happen overnight (and it doesn’t have to), but every business should be taking the first steps to create an electronic record management system to protect their business, employees and customers.

Andrew Lenardon
Director of National Accounts Indirect Solutions for North America at Shred-it

Fund Your Priorities with a Box of Records

Thu, 01 Nov 2012 14:17:58 GMT

It’s budget season for you and many other companies. It seems every year there are important initiatives that go unfunded: moving to digital solutions, improving security, hiring new sales staff or simply keeping more on the bottom line. Yet every year, certain spend categories in your budget get overlooked for savings because they are assumed to be untouchable.

For the average client, 50% of their records in storage are obsolete, meaning they are held past their retention requirements. If you consider that every box sitting in outside storage costs you between $15 and $45 over 5 years in hard costs and another $7 to $20 in labor costs to access, you may be surprised by how much money you’re wasting every year. If the average Fortune 1000 company has one box in storage for each of their 33,500 employees, that equates to between $250,000 and $750,000 in wasted hard costs and another $117,000 to $350,000 in wasted labor. Think about what you could do with that extra money.

Consider using Shred-it’s proprietary Shift Your Spend analysis , it’s complementary and will help to uncover where you may be wasting your money. Let us help you release your stored-up documents before you put off your priorities for another year.

Andrew Lenardon
Director of National Accounts Indirect Solutions for North America at Shred-it

Why Small Businesses Need to Change their Attitudes about Security

Thu, 18 Oct 2012 15:23:36 GMT

It’s Small Business Week and a perfect time to talk about the habits and attitudes of small businesses around security. It’s actually not great news.

According to the Shred-it Information Security Tracker, small businesses recognize the risk of security breaches but most aren’t doing much to protect themselves.

It’s often a security breach that shocks a business into making changes.

Lifestyle Forms & Displays Inc., a mannequin maker and importer in New York with about 100 employees, is a good example. Last spring, the company discovered that $1.2 million had been stolen from its bank accounts in just hours through online transactions.

Of course, that breach was not an isolated incident. Organizations with between 11 and 100 employees reported 436 data breaches last year – almost six times as many as organizations with between 101 and 1,000, according to the Verizon 2011 Data Breach Investigations Report. While there’s a huge focus on cybercrime, physical theft or low-tech crime is booming too.

Since the attack, Lifestyle Forms & Displays has improved its security and introduced a policy that all outbound bank transactions are cleared by an authorized company executive.

Why not celebrate Small Business Week by making information security a priority in your company too.

Here’s how:

Create a written document of information security policies and procedures.
Train employees about those policies and conduct periodic information security audits.
Securely dispose of all data that is no longer needed – shred hard copy as well as information on hard drives and other electronic devices.

Click here for a DIY Self-Assessment Survey to see your business' level of document security

Interesting Uses for Recycled Paper…

Fri, 05 Oct 2012 14:50:37 GMT

What happens to all the paper that your office gets rid of?

If you are partnering with an eco-friendly document destruction service, the paper is recycled after it has been collected, shredded and baled. And there are a surprising number of products that are being made from recycled paper today (whether it is 100 percent recycled paper or a mixture of new and recycled paper.)

The obvious products are printer and copier paper, toilet paper, tissues, greeting cards, paper towels, and cardboard products.

The not-so-obvious ones are also everyday items used in the home as well as in office and other workplaces.

According to the Environmental Protection Agency (EPA) the list includes: masking tape, bandages, dust masks, hospital gowns, coffee filters, lamp shades, car insulation, animal bedding, planting pots for seedlings, and egg cartons. And, recycled magazine paper is being utilized in products such as handbags, vases, jewelry, and even art.

Most of the time, labels on these products specify their recycled content.

Of course, document shredding companies are big generators of paper – and recycling that paper should be part of their service.

For example, for every two security consoles of paper that Shred-it collects for shredding (and then recycling), one tree is saved.

Shred-it also provides every customer with an annual Certificate of Environmental Accomplishment that shows how many trees the workplace has saved through its green document disposal process.

Recycling paper is one way to help protect the environment, and it’s a community effort that includes individuals and businesses. Learn more about what you can do to be environmentally friendly.

6 Reasons Why an Office Shredder May Make You Crazy

Fri, 28 Sep 2012 14:34:23 GMT

Have you ever heard what an office shredder sounds like?

It can get pretty loud and people in the office don’t like it. A recent Workplace Options survey polled over 600 working Americans; and over half said that distractions in the workplace were bothersome enough to impact productivity.

But noise isn’t the only reason a business might consider getting rid of their office shredder. Here are 5 more reasons:

An in-house shredder takes up precious floor space.
It’s time-consuming to remove rubber bands, paper clips, staples, and the list goes on
It takes an hour for an employee to shred the average amount of paper he or she uses a month… multiply that by the number of employees you have in your office - shredding paper, and you’re losing a lot of productivity by doing it yourself.
The shredding itself causes dust and airborne particles, and (even low-speed) shredders can produce flying fragments. Health and safety precautions (another cost factor) are important.
On-going maintenance (oiling, unclogging and cleaning) is absolutely necessary. And parts like knives and cutters, etc., will need sharpening or adjusting, and of course, the equipment can always break down.

It’s easier – and more secure – to partner with a good document destruction company that will securely remove the documents from your office and shred them in their truck before sending it to be recycled.

For more information, watch this video that shows the secure process

Fraud Alert: Avoid These Common Scams That Target Small Businesses

Thu, 20 Sep 2012 09:44:08 GMT

Is your small business being targeted?

The Little Black Book of Scams, which was published in 2012 by Competition Bureau Canada for consumers and small business, identifies three common scams that target the workplace:

‘Expiring Internet Domain Name’ Scam – Unsolicited letters arrive saying the business’s internet domain name is due to expire and must be renewed; or a new domain name similar to the current one is offered.
‘Directory Listing/Unauthorized Advertising’ Scam – A company is advised by mail or phone about a directory listing or advertisement in a magazine or webpage that in fact hasn’t been booked.
‘Office Supply’ Scam – The company receives and is charged for (over-priced) office supplies that were actually never ordered.

The best way to fight frauds and scams is to avoid them. The Little Black Book of Scams provides these tips for small business owners:

Create clear information security policies.
Educate employees who process the invoices or answer the phone about scams.
Confirm that goods or services were ordered and received before paying an invoice.
Never give out any business information unless it is known what the information will be used for.
Ask for all business deals to be confirmed in writing (not just over the phone).
Limit the number of employees that can approve purchases.
Be sure there are security procedures for verifying, paying and managing accounts and invoices.
Ask for proof when anyone calls claiming the business has ordered or authorized something.

For more information, download the 30 page booklet: The Little Black Book of Scams

5 Reasons Why Winning A Bronze Stevie Award Is A Win-Win

Thu, 13 Sep 2012 14:20:59 GMT

Did you know that Shred-it won a Bronze Stevie Award from the American Business Awards this year?

The award was in the ‘Public Relations Campaign of the Year: Global Issues’ category, for our 2011 Information Security Tracker, an independent Ipsos Reid survey across the U.S., Canada and the U.K. that looked at information security policies and procedures among small businesses. While we are thrilled with this win, we also believe that it’s a win-win for everyone. Here’s why:

The award highlights the Information Security Tracker, which underlines the importance of information security as a global issue – and that’s important.

The award also helps highlight the key messages around information security:
- Regularly review document destruction policies
- Conduct annual security audits, and
- Implement comprehensive trainings for employees

The survey is important as it showed that small businesses need to better protect sensitive information. While 78.6 percent of U.S. respondents knew that protecting confidential data is the law, almost one-third of companies never train staff on information security and 35.5 percent have no protocol in place for storing and disposing of confidential data.

The award confirms Shred-it’s commitment as a reliable source for data loss prevention information.

Shred-it decided to make the Information Security Tracker an annual campaign. Take a peek at our 2012 Information Security Tracker.

There’s nothing like an award to make you feel good about what you do. Shred-it salutes and shares the award with each of its customers. Thank you for being a part of the Shred-it family!

Employee Education is the Key to Information Security

Thu, 06 Sep 2012 18:05:52 GMT

You’d think a government elections agency would have learned its lesson after two unencrypted USBs that held personal information of more than two million voters, went missing. Soon after that incident, other employees were found using memory sticks without enabling their encryption software as well!

No wonder the local privacy commissioner in Canada slammed management for not properly training its workers on security.

While the agency is now reviewing its policies and a privacy-training program has been recommended, the story is a good reminder that every organization needs to train its employees on the importance of information security.

As one industry executive noted: It doesn’t matter what security policies you have created, if employees don’t follow them, your business is vulnerable.

Read our newsletter to learn about how to implement and enforce document security protocols in your business.

Here are some quick tips to help you get started:

Create an information security strategy for the management and destruction of confidential documents.
Be sure that security policies are compliant with national identity theft and privacy legislation.
Train new employees on information security.
Keep all existing employees up-to-date on information security best practices.
Limit the number of employees who handle confidential documents.
Implement a shred-all policy, and be sure that all documents – paper and electronic – are destroyed on a regular basis.

Employee education really is the key to information security.

5 Ways Doctors’ Offices Can Prevent Medical Identity Theft

Fri, 31 Aug 2012 13:33:36 GMT

Has your doctor’s office ever asked you for ID?

Well, don’t be surprised if the receptionist does at your next visit.

That’s one of the strategies being recommended to doctors to help prevent identity theft and all the issues that go along with it.

In a recent article posted on the American Medical Association’s news website, doctors were reminded that medical identity theft has become the fastest-growing type of identity theft in the world.

In fact, Ponemon Institutes’s Third Annual Survey on Medical Identity Theft estimates that 185 million Americans are affected by the crime. Furthermore, the AMA article says that more than 5,300 physicians have listed themselves in a federal database that tracks medical identity theft.

While there is privacy legislation (HIPAA and PIPEDA) in the U.S. and Canada that protects sensitive health information, here are in-office strategies that can help prevent identity theft.

Implement a policy to ask patients, and especially new patients, for two pieces of identification (one of them being photo ID).
Also, make it a policy to ask new patients for their referral source.
Improve handling of patient records. Research shows that medical files are often left unsupervised in rooms, on desks and in door folders.
Review any new patient records for inconsistencies.
Digitize patient records, and partner with a document destruction company to dispose of paper when it is no longer needed.

For more information on preventing medical identity theft, click here to download our free white paper.

More Data Breach Notification Rules Are Needed: Here’s Why

Mon, 20 Aug 2012 16:37:10 GMT

How long should a person have to wait to be notified that their personal information has been exposed in a security breach?

• The U.S Environmental Protection Agency waited over four months to tell nearly 8,000 employees and other individuals about a data security breach, says a recent Washington Business Journal article.

• It took almost a year for Thrift Savings Plan to notify approximately 123,000 participants, according to a story in csoonline.com.

• Elections Ontario in Canada waited three months before notifying 2.4 million voters about a breach.

While the ever-increasing number of data breaches is a huge concern, the variance in when – and if – victims of breaches are notified is also troubling data breach watchdogs.

While there are state and provincial security breach notification laws as well as data protection laws in different industries (i.e., HIPAA and Gramm-Leach-Bliley Act), there aren’t comprehensive federal laws governing notification especially in the private sector.

The good news is in the U.S., there’s now draft legislation to create a single national standard for reporting data breaches; in Canada, parliament is considering a bill that would make it an obligation to disclose data breaches to people.

At the same time, the Verizon 2012 Data Breach Investigations report points out that most breaches are avoidable. One safeguard is a secure document destruction program that includes eliminating unnecessary data. Once paper and electronic data have been securely destroyed, you eliminate the risk of a security breach happening to your business.

Contact Shred-it for more information.

Wall of Shame: Big Breaches Will Put You There

Thu, 16 Aug 2012 15:22:13 GMT

Failing to safeguard your patients’ health information could earn you a place on the Wall of Shame... and it’s not a list you want to be on.

The Wall of Shame resides on the U.S. Department of Health and Human Services website and lists companies that have had information security breaches.

The HITECH act has a new requirement stating that breaches affecting 500 or more individuals and violates HIPAA must be publicly reported.

Learn more about HIPAA and how to be compliant.

Over the past three years almost 500 breaches have been reported to the Office for Civil Rights. That adds up to about 21 million patients who have had their medical records exposed in information security breaches.

There are now nearly 300 hospitals, insurance companies and medical practices on the Wall of Shame. They range from TRICARE Management Activity who lost 4.9 million records when backup tapes went missing, to small healthcare companies, like one in Virginia that put the private information of 4,083 people at risk when it improperly disposed of their patient’s confidential paper.

Theft was the ‘cause’ of about half of the breaches followed by unauthorized access or disclosure, lost records and devices, improper disposal of records and hacking.

Destroying electronic and paper records when information is no longer needed is critical to protecting private information. Securely destroying confidential information prior to disposal is recommended by HIPAA.

Make the right choice. Choose to protect your organization, employees, and patients from identity theft - and stay off the Wall of Shame.

9 Benefits of Document Scanning

Thu, 09 Aug 2012 11:51:32 GMT

Did you know that converting paper documents to a digital format can provide a whole range of workplace benefits? Here’s the top 9 reasons why:

Frees up space. Documents are often stored in bulky filing cabinets and boxes in premium office space.
Saves money. Document storage costs (file cabinets, folders, paper, ink, even weather control systems) are negated.
Supports compliance. Cleaning up files is a great time to make sure document storage and destruction adhere to privacy laws such as the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, and others. Learn about your industry’s compliance requirements by watching this helpful 2min video: Watch Video
Simplifies Employees’ Jobs. Digitized information can be pulled on demand compared to the time spent rummaging through paper files.
Easier handling of information. It’s much easier to access needed files rather than physically going through hundreds of files.
Better security. Digital archiving is a more secure way of storing, organizing and sharing documents (no more passing paper documents around). About 36% of U.S. businesses have no policy for document storage.
Better overall control. A business will be able to keep better track of records. An archiving program logs who attempts to access a file and when they logged in and out. That makes tracking information leaks easier.
Business continuity, no matter what. Statistics suggest that 70% of businesses would fail within a few weeks if paper records were lost in a fire, flood or other disaster. That wouldn’t happen with backed-up digital documents.
Preservation. Digital files last longer than paper.

There are so many benefits to digitizing your documents. Consult a professional information management company to find out how to keep your customers', business and employees' private information private.

Shred-it’s Denver Branch Sets a Guinness World Record!

Thu, 26 Jul 2012 13:38:21 GMT

A recent document shredding event held by Shred-it in Denver, Colorado, was so popular that cars were lining up hours before the 7 a.m. start time when the Shred-it mobile trucks started shredding documents. In fact, so many people showed up during the event with documents they wanted destroyed that Shred-it was able to set a Guinness World Record for ‘Most Paper Collected in 24 Hours at Multiple Venues’.

That’s a win-win-win all around!

How did it come together?

The Shred-a-thon was held in five Denver communities on May 19. Residents were invited to bring up to three boxes or bags of personal documents they wanted destroyed. Residents who brought documents for shredding were also encouraged to make a donation to the Metro-Denver Crime Stoppers, one of the event partners.

The response was overwhelming and helpful in so many ways. Many Denver residents were able to have their confidential papers securely destroyed. (Research has shown that most identity thieves get information through traditional paper-based sources and often these documents are ‘found’ in the garbage or recycling bin.) Crime Stoppers received record donations and helped to further the message about identity theft. And Shred-it collected and shredded 210,025.97 kilograms or 463,028 pounds of paper – and earned a Guinness World Record!

Of course, Shred-it couldn’t have done it without local law enforcement agencies, community leaders, Crime Stoppers, 9News and Shred-it employees who all worked together to publicize and run the event.

A huge thank you goes out to the community and everyone who participated!

Visit Shred-it's website for information about secure document destruction and Shred-it’s document shredding service.

Working from Home? Here are Ways to Avoid A Data Breach

Thu, 19 Jul 2012 10:51:03 GMT

The upcoming Summer Games in the U.K. are no doubt causing a lot of excitement – and concern – for businesses there. With so many visitors expected and increased security issues, many London-based companies have suggested that their employees work from home during the games.

But, of course, that causes its own issues.

One of the biggest problems is all the confidential information that is taken out of the workplace, whether it’s hard copy or on an electronic device. Information security is important and data breaches can occur when this information is left in non-secure locations such as recycling bins, the garbage can, or the kitchen counter.

It isn’t a new problem – a study by Ernst & Young showed that there were 46 million telecommuters worldwide last year.

The most important message for any employee who works from home is that they treat confidential information the same way they treat it in the workplace.

Here are some guidelines.

Only take confidential information out of the workplace when it’s absolutely necessary.
Avoid printing out confidential documents; use email or digital storage devices instead.
Transport any printed documents securely.
Be especially careful if you work in public places such as coffee shops or the park.

Shred all documents that are no longer needed (return them to the office for secure document destruction by a paper shredding company).

Community Shred-it™ Events Promote Information Security

Thu, 12 Jul 2012 15:51:46 GMT

Talk about ‘edu-tainment’. At a recent Community Shred-it™ Event in Canada, parents stood at the mobile shredding truck with their kids like they were watching a live show!

“They were explaining what was happening as the documents were shredded right in front of them,” said one of the volunteers. “And that was cool.”

What was really cool though was the fact that the parents were teaching their children about information security and secure document destruction.

“A lot of people were actually surprised that we do the on site shredding,” said the volunteer. “They figured the paper would be dumped into the truck and taken somewhere for shredding.”

But that’s another good lesson learned... the most secure way to dispose of confidential information is to have them it shredded securely on site by a secure paper shredding service.

For all of its business clients, Shred-it provides secure locked consoles for the collection of office documents. During scheduled visits, the Customer Service Representative (CSR) empties each console and takes the documents to a locked area on the mobile truck where they are shredded on site at the customer’s location. The customers can choose to watch the entire process.

At Community Shred-it Events, residents bring the documents they want to have shredded. While it’s a free service, they are encouraged to donate to a local charity (for example, $10 for a big stack or bag and $15 for a banker box). In Canada, Crime Stoppers is one of the charities Shred-it often partners with.
These events help increase the knowledge of identity theft and that makes the community a safer place.

Find out more about Community Shred-it Events in your area.

Does Your Shredding Company Define ‘Customer Centricity’?

Thu, 28 Jun 2012 14:33:24 GMT

“Your guys were very polite, accommodating and did everything they could to help us."

“Very friendly drivers, they are in and out in less than 5 minutes.”

“We appreciate their friendly service.”

These customer testimonials are the kind every document destruction company wants to receive. And they are reflective of customer centricity, which is when companies focus wholly on the needs and behaviors of its customers.

Partnering with a reliable document destruction company is an integral part of information protection and security and reducing the risk of security breaches. Here are 5 customer centric policies:

The company has a secure chain of custody that is all about helping you to prevent expensive and damaging information security breaches.
Company representatives go out of their way to tailor the service to your specific needs.
The company is knowledgeable about all privacy laws and legislation for your specific industry.
A dedicated support team is willing and able to provide helpful advice around secure document destruction.
All documents are recycled after shredding, and an annual Certificate is produced to track the amount recycled through your shredding program.

7 Must-Have Qualities of Local Document Destruction Suppliers

Wed, 27 Jun 2012 15:06:28 GMT

“My company already used you for disposing of important, confidential documents,” stated the testimonial. “Since we have been so pleased with the service, when opening another location in another state, the choice was easy. I called the local office and before I knew it, ordering the shredding service was crossed off my list of things to do.”

When it comes to hiring a document destruction company, it’s always a good idea to find a company that is situated nearby or at least in the same city.

Calling for assistance when the company is in a different time zone or being connected to a call center somewhere off-shore can be frustrating.

Of course, with the frequency of security breaches and the steady rise in identity theft, secure document destruction is a fundamental part of business today. Also, every company has a legal obligation to keep private information private especially when documents are no longer needed.

Here are 7 must-have qualities of document destruction suppliers:

The company has a branch in your local area.
The company is committed to best practices in secure document destruction.
The company is prompt and efficient with as little disruption to your workplace as possible. “Always cooperative, always on schedule, always efficient, great company,” is how one testimonial has described it.
There is a dedicated support team that is available to answer questions, address concerns, and meet with you if need be.
The company utilizes the latest technology. For example, handheld technology improves efficiency such as ensuring each console is emptied completely during servicing.
Service is convenient and flexible – if you need to change the time or the job in any way, it’s never a problem.
The company is always on time for its scheduled appointments.

For frequently asked questions about secure document shredding, click here.

10 Ways To Know Your Document Destruction Company Is Tops

Fri, 22 Jun 2012 13:57:57 GMT

“The gentlemen that take our shredding could not be nicer. They are always courteous and very professional. The service is always consistent and prompt.”

Probably the most important service that a document destruction company can provide its customers is security of all confidential information from start to finish. But the next most important thing as noted by the above testimonial – is service. And, there’s nothing like receiving extraordinary service. It makes you feel special, and it often means the job gets done more efficiently.

Here are 10 ways to judge the service provided by your document shredding company.

Information security from start to finish... for example, documents are not sorted in any way before they are shredded.
Trustworthy – All employees are security-checked and specially trained to handle confidential material.
Transparent – Customers are invited to watch their documents being shredded.
Secure consoles – Consoles for document storage are locked, and documents are not retrievable once they’ve been deposited.
Flexibility – You can have a one-time or regularly scheduled shredding service.
Efficiency – Any rescheduling is done quickly and with courtesy.
Variety of shred-sizes – Depending on your industry’s specifications, different shred-sizes are available.
Options – Consoles are available in several custom finishes so you can complement your office decor if you want to.
It’s all about you – The company assigns a dedicated support team to every customer.
Reach – The company has locations around the globe... just in case you do too.

Information Security is a Big Deal to Big Businesses

Thu, 21 Jun 2012 14:31:50 GMT

Big businesses know information security is no small matter.

According to Shred-it’s 2012 Security Tracker, 33 per cent of big businesses understand that lost or stolen data would result in severe financial impact. In fact, estimates from the Ponemon Institute and CyberFactors predict that losses resulting from data breaches could reach as much as $100-$225 million.

However, businesses are doing a great job of making security a priority to reduce the risk. Ninety-three per cent of large businesses have someone directly responsible for managing data security issues. For added security, 47 per cent also have locked consoles and use a professional shredding service to destroy sensitive documents.

While these businesses are taking some great steps to protect sensitive or confidential information, many still feel that the threat posed by data breaches should be dealt with more strictly at a federal level. More than 55 per cent, of large organizations are in favor of, and would encourage a new data privacy law in the U.S.

It’s great to see so many businesses taking an interest in security, but legislation is not the only way to protect an organization: security starts from the ground up. Check out our business information security tip sheet for steps you can take to build a security culture in your business.

Do you agree the U.S. should institute stricter security laws? LinkedIn, Twitter, Facebook or Google+.

Small Businesses are Not Making Security a Priority

Thu, 14 Jun 2012 15:03:39 GMT

Businesses of all sizes are responsible for a great deal of client and employee information. However, many small businesses don’t appear to understand the risk posed by data breaches and are complacent about protecting confidential information.

The results of the 2012 Security Tracker, an independent survey conducted by Ipsos Reid on behalf of Shred-it, shows that nearly half of U.S. small businesses do not have an employee directly responsible for managing data security.

The reason for this may be that a surprising 51% of small businesses believe that lost or stolen data would not seriously impact their business. In fact, data breaches cause nearly 80 per cent of small businesses to file bankruptcy or suffer severe financial losses within two years of the breach, according to identity theft specialist John Sileo.

It’s never too late to make security a priority. Safeguard your confidential information and your business by taking the following steps:

Implement ongoing risk analysis processes and create a policy specifically designed to limit exposure to fraud and data breaches.
Regularly train employees in proper document management and encourage their adoption of security best practices.
Utilize special locked consoles to house sensitive materials that are waiting to be properly shredded.
Implement a “shred-all” policy so that all unneeded documents are fully destroyed on a regular basis.
Don’t overlook hard drives on computers or photocopiers; physical hard drive destruction is proven to be the only 100% secure way to destroy data from hard drives permanently.
Hire a reliable vendor that is well-informed and keeps you compliant with pertinent legislation, training requirements etc.

For more security tips, visit us on LinkedIn, Twitter, Facebook or Google+.

Looking For a Document Disposal Company? Use This Checklist

Thu, 07 Jun 2012 16:01:51 GMT

How you dispose of confidential information that is no longer needed can be the difference between information getting into the wrong hands (accidently or not) – and information remaining confidential and safe.

The best document destruction companies:

Use initial and on-going security assessments to identify problem areas.
Recommend a shred-all policy so employees don’t have to decide which documents are confidential – all are securely shredded at your location.
Install locked consoles in their workplace for secure document storage before shredding.
Have NAID (National Association for Information Destruction) certification.
Provide cross-cut shredding in a variety of different sizes.
Issue a Certificate of Destruction after every shred.
Make service a priority.

This testimonial says it all: "Always cooperative, always on schedule, always efficient, always courteous. Great company." The best document destruction companies also make customer service a priority

For more information, visit http://shredit.com/Home.aspx.

4 Tips to Improve your Information Security

Thu, 31 May 2012 09:41:44 GMT

When a company experiences a data breach, its brand equity and reputation take a big hit. A recent survey by Ponemon Institute showed that the average time it takes to restore an organization’s reputation after a data breach is one year.

Of course, data breaches are occurring in businesses of all sizes, and no industry is immune.

Whether your company is regional, national or global, information security is important. What’s most important is that a business protects its customers, employees, intellectual property and brand against data breaches.

Here are some tips:

Think prevention. Develop a preventative approach that’s strategic, integrated and long-term to stop information breaches from occurring in the first place.

Conduct a periodic information security assessment. Knowing how documents are generated, revised and stored lets you identify security weaknesses in the lifecycle. Look for risk points where information is left unattended or easily accessible. Be sure to look at both electronic and paper-based sources.

Encrypt data. Now that smart phones, tablets, external memory drives and laptops are an integral part of the workplace, be sure that all confidential data on these devices are encrypted – in case of theft or loss.

Introduce a shred-all policy. Simply decide that all business documents are shredded when they’re no longer needed. Here’s more information on the benefits: http://blog.shredit.com/Blogs/Shredit-Blog/April-2011/Establishing-a-Shred-All-Policy.aspx

4 Security Tips for the Financial, Insurance and Legal Industries

Thu, 24 May 2012 13:18:34 GMT

Every year identity theft costs businesses $221 billion worldwide.

That’s a huge amount of money, and it underlines the importance of protecting clients in industries where private information is required in everyday transactions.

While financial, insurance and legal industries are bound by increasingly stricter privacy rules and regulations, here are some specific security tips that can help reduce risk of data breach :

Conduct information security assessments. Knowing how internal documents are generated, revised and stored can help identify security risks. Be sure to include both electronic and paper-based sources.

Encrypt data. Smart phones, tablets and laptops are becoming standard business equipment for employees. As a result, it’s important to encrypt data on these devices just in case the device is stolen or lost.

Introduce a shred-all policy. A shred-all policy means that all workplace documents will be shredded when they are no longer needed. Employees won’t have to decide which documents are confidential. Also, shredding documents is a 100 percent secure way of destroying them completely. (Remember, 56 percent of businesses in North America do not have a secure method of document destruction.)

Don’t forget Electronic Media. When it comes to disposing of sensitive data, don’t overlook hard drives on computers or photocopiers. Erasing a hard drive does not guarantee that data is gone. In fact, physically destroying a hard drive is the only sure way to destroy any data on it.

Small Businesses Need to Improve Their Information Security

Fri, 18 May 2012 08:51:50 GMT

A recent survey shows that small businesses are specifically being targeted by cybercriminals – because data is not as secure as it should be. In fact, according to the Verizon 2011 Data Breach Investigations Report, most data breaches could be avoided if companies had fundamental security precautions in place.

Having a privacy policy is the first order of business. Here are three additional areas where small businesses can improve their information security:

EMPLOYEE TRAINING. Thirty one percent of small businesses have never trained their employees about the importance of information security. Start holding quarterly training or retraining sessions for all employees so the privacy policy is understood and followed.

COMPLIANCE REQUIREMENTS. Many small businesses do not realize that protecting sensitive information is the law. Stay up-to-date about privacy legislation in your industry and be sure any policies are adapted and reinforced.

DOCUMENT DESTRUCTION. More than half of the 24.6 million small businesses in the U.S. do not have a secure method of document destruction. Experts recommend a regularly scheduled document destruction process so confidential paper waste doesn’t accumulate. Shredding – documents and e-media – is the preferred method of destruction. Confidential documents that need to be destroyed should be in locked consoles before they are securely shredded. A reputable shredding company will recycle shredded paper products as well and provide a Certificate of Destruction after every shred.

For more information, visit http://www.shredit.com/Solutions/Paper-shredding-service.aspx.

Social Media is a Great Source of Document Destruction Information – and Solutions: Here are 5 Examples

Wed, 16 May 2012 11:54:01 GMT

These days everything is about social media. Whether it’s Facebook, YouTube, Twitter; you name it –more and more companies are focusing on reaching out to people through social means.

Shred-it now has multiple social media channels to communicate and engage with you.

We’ve got videos about secure document destruction to help people learn more about the importance of information destruction.

We have a Facebook page to share regular updates on information security breaches, conversations about fraud preventions, details about upcoming Community Shred-it events and much more.

We ‘tweet’ regularly on Twitter too. Recently, followers were reminded that “simply erasing your hard drive actually leaves your data open to fraud”. The solution? Crush your hard drives to protect your confidential data.

Our Linkedin Page is about connections, ideas and opportunities in secure document destruction. For example, we share links to – and invite discussions about Infographics that show security breach risks by the numbers. One Infographic, for example, shows that data breaches cost businesses an average of $7.2 million.

Google+ is another great place to find and share information about topics. If you become a part of our Google+ circle; you’ll be able to engage with people who face the same information security challenges as you.

Social media plays an important role in spreading the word about information security and keeping what’s private, private. If you haven’t joined us yet, we invite you to join now!

Join us	Follow us	Add us	Join us	Watch us

Think You’re Not at Risk of Experiencing a Security Breach? [INFOGRAPHIC]

Thu, 10 May 2012 15:31:23 GMT

What’s the risk of a security breach in your company?

It’s probably higher than you think... considering that statistics show 85% of companies in the U.S. have experienced at least one data breach.

Legal, insurance and financial offices are particularly at risk because of the type of information they collect and store. Identity theft criminals need credit card information, bank statements, mortgage and insurance papers, and similar information, in order to ‘steal’ identities.

Identity theft is widespread – around the world, identity theft crimes increased by 13% in 2011.

At the same time, insurance fraud is up (by 40% last year), consumer confidence is down (one in 10 consumers have had their identities stolen in some way) and the cost of corporate identity theft is skyrocketing (it costs U.S. businesses about $48 billion annually).

For information about reducing the risk of security breaches in your particular industry, visit http://www.shredit.com/Solutions.

Is your Document Destruction Partner NAID certified?

Thu, 03 May 2012 09:37:11 GMT

The document destruction industry plays an important role in helping workplaces of all sizes protect sensitive information and stay compliant with the privacy rules and legislation in their industry.

But who is helping to monitor that document destruction companies are doing the right thing?

That’s where NAID, the National Association for Information Destruction, comes in.

NAID is an international trade association for companies that provide information destruction services. And it is, in effect, the ‘watchdog’ of the shredding industry.

Its certification program for document destruction companies is the gold standard in the industry. ‘AAA NAID Certified’ means a company’s mobile document destruction meets the stringent security practices and procedures established by NAID.

For customers, certification also verifies on-going compliance of destruction services within NAID’s security standards – because audits are on-going.

NAID is like an independent auditor, checking a shredding company's compliance in different areas including everything from shred size to employee background checks. Facility security, monitoring systems and destruction equipment must all stand up to the auditor’s inspection.

Of course, a company that is AAA NAID Certified will highlight this certification to its customers – on its website, etc. Here’s an example: http://www.shredit.com/Home.aspx.

For more information, visit www.naidonline.org.

Cyber crime hitting Small and Medium Sized Businesses

Thu, 26 Apr 2012 14:44:25 GMT

Small- and medium-sized businesses beware! Cybercriminals have shifted their activities away from large corporations and they are now targeting smaller businesses.

According to the Verizon 2011 Data Breach Investigations Report, opportunistic cybercriminals are making headway because of the lack of computer data security.

The troubling part is that cybercriminals are using “fairly unsophisticated methods” to access data. In fact, 97% of the data breaches were avoidable. Most breaches could be avoided if companies had fundamental security precautions in place.

The recommendation, of course, is that small and medium sized businesses get more serious about implementing and committing to information security practices. This includes staying up-to-date about privacy legislation, being compliant, and implementing essential controls across the entire business.

Another key recommendation, as always, is for companies to eliminate all unnecessary data. The most secure method of document destruction is shredding – whether documents are paper or they are saved on a hard drive or other media device.

For more information about secure document destruction, visit http://www.shredit.com/Shredding-Service/Secure-Shredding.aspx.

When It Comes To Data Breach Risks, Smartphones Are Not So Smart

Thu, 19 Apr 2012 11:34:18 GMT

Does your business provide Smartphones to employees? Or, would employees use their own Smartphones to conduct company business?

If the answer is yes to one or both, you’ll want to pay attention to the 2012 Identity Fraud Report by Javelin Strategy & Research.

The report showed that last year, 11.6 million adults were victims of identity fraud in the United States, an increase of 13% over the previous year. Smartphone users were about 33% more likely to be victims of identity fraud vs those that don’t use a smartphone. While the report did say there is no proof of direct causation, the most popular social websites also had the highest incidence of fraud. That would be Linkedin, Google+, Twitter and Facebook.

In effect, Smartphones are minicomputers that store a lot of personal information. And, while a business has limited control over an employees’ online behavior, it can introduce stringent data security procedures and policies in the workplace.

Recommendations :

1. Keep personal data private at home and at work.

2. Lock devices.

3. Use passwords.

4. Never save login information on a device.

When it comes to disposing of Smartphones and hard drive destruction, only crushing and shredding the device guarantees 100 percent destruction.

For more information, visit http://www.shredit.com/Shredding-Service/What-to-shred/Hard-drive-destruction.aspx

A Data Breach Could Put You Out of Business

Thu, 12 Apr 2012 15:51:56 GMT

Did you know that a data breach can put you out of business?

A national medical records firm is one of the latest examples of how that can happen.

On New Year’s Eve, Impairment Resources LLC’s San Diego office was broken into. Their electronically-filed information from 14,000 patients – including their addresses, Social Security numbers and medical diagnoses – were taken.

The company did its due diligence and reported the breach, but several weeks later it also filed for bankruptcy protection. According to reports, Impairment Resources had $226,000 in assets, more than $580,000 in liabilities, and the potential for countless lawsuits from individuals resulting from the data breach.

Regardless of how sensitive information gets into the wrong hands, the consequences can be significant, and it’s not just large companies at risk.

Medical practices of all sizes must be compliant to the privacy and security rules set out by the Health Insurance Portability and Accountability Act (HIPAA). There must be appropriate safeguards in place to protect patients’ health information.

Here are some of the most important safeguards:

Develop a HIPAA compliance program and review and update it regularly
Document policies and procedures
Be sure HIPAA training is in place for employees
Introduce a shred-all document shredding policy to ensure all sensitive documents are securely disposed of and permanently destroyed when no longer needed

How to Avoid Privacy Breach Complaints: Avoid Privacy Breaches

Thu, 05 Apr 2012 15:43:35 GMT

The buzz around ‘security breaches’ just keeps getting louder. Not a day goes by without something popping up in the media about a data security breach. There’s always another study or paper being released by the government or other organizations. And, now there’s data breach reporting by ‘victims’ in the news. The Privacy Rights Clearinghouse (www.privacyrights.org) recently introduced a simple online tool for consumers to file complaints about security breaches that includes who to file the complaint against.

Of course, there is so much at stake when sensitive information gets into the wrong hands. The biggest risk is identity theft and the costs and stress associated with that. Whoever is to blame for the breach is also in big trouble. Protecting sensitive information is the law in North America (laws include HIPAA, FACTA and PIPEDA) and the consequences for a business when there is a security breach can be severe. Possible penalties include fines and potential jail time, a loss of assets, and a tarnished reputation.

But let’s back up a bit. A privacy breach occurs when there’s unauthorized access to personal information. A company can do a lot to reduce the risk.

Have a security risk assessment of both physical and technical security.
Review policies and procedures around security, record retention and document disposal. Shredding documents and eMedia is the most secure way to dispose of sensitive information when it’s no longer needed.
Review and improve employee training practices.
Work only with service partners who are committed to security best practices.

Going Green: How Green Is Your Office?

Thu, 29 Mar 2012 11:23:51 GMT

How environmentally friendly is your workplace?

Most businesses today recycle their paper documents as part of their commitment to sustainable practices. But if you’re not recycling paper securely, your good intentions could lead to a security breach.

By partnering with a secure document destruction company, you can make sure that every piece of paper you discard stays safe — from the time it leaves your hands to the moment it’s shredded and then recycled.

Every ton of recycled paper can save:

• 17 trees, which will absorb 250 lbs. of carbon dioxide each year

• 380 gallons of oil

• 4,000 kilowatts of energy

• 3 cubic yards of landfill space

• 7,000 gallons of water

Per ton, that equals a 65% energy savings, 58% in water savings and 60 lbs. less air pollution.

Make secure document destruction is a part of your company’s sustainability program today!

Here are some helpful tip s and best practices that can make your workplace more eco-friendly :

Watt’s up: You would never leave home with all the lights on, computers and printers running, so why is it OK to do this at the office? Using a power strip for devices like computers, lights and printers makes it easy to shut down an entire desktop at once.

Light for less: Artificial lighting accounts for 44% of the electrical use in office buildings. As your current light bulbs burn out, replace them with Energy Star-rated light bulbs and fixtures, which use at least 33% less energy than regular lighting.

Smarter heating: Create an afterhours and weekend thermostat setting. If you know your employees aren’t going to be in the office, use a lower setting that conserves more energy during these hours. Be sure to allow an override function so that it can be changed if someone decides to come in to work.

Put Secure Document Disposal Consoles Where They’re Needed Most

Mon, 26 Mar 2012 13:29:52 GMT

Where do you think the highest number of sensitive documents end up in your workplace?

Document destruction experts say that it’s often the boardroom and other meeting rooms where a lot of documents containing private information end up on the table. That includes internal documents such as strategic plans, sales reports or personnel information, or documents that have been brought to meetings by clients or customers.

Of course another important question is whether your company has a document disposal program in place that protects all that confidential information and helps you avoid any type of security breach. You don’t want sensitive documents left on the boardroom table or tossed into the garbage.

One way to avoid problems is to introduce a Shred-All policy in your workplace. All documents that are no longer needed would be put into locked consoles and later destroyed by the document shredding service.

The placement of the consoles is key; and that takes you back into the boardroom. Some companies are reluctant to put consoles in their meeting rooms and even in general areas in the office, because of consoles’ institutional look.

But they’re not all big blue bins and containers that look like garbage bins.

In fact, some information destruction services offer custom wood finishes… so consoles can be made to match your office décor. It’s all about secure information destruction and giving you peace of mind knowing that your business is secure.

What You Need To Know About The HIPAA Compliance Audit Program

Thu, 15 Mar 2012 09:44:49 GMT

Ever since the Department of Health and Human Services’ Office for Civil Rights announced the HIPAA Compliance Audit program last year, companies in the healthcare area have been reviewing their HIPAA privacy rules and making improvements.

At least that’s the hope.

Because the Compliance Audit Program is now underway with hundreds of organizations in the United States scheduled for audits this year.

The whole idea, of course, is to improve compliance to the Health Insurance Portability and Accountability Act’s privacy and security rules. HIPAA compliance requires that appropriate safeguards, including physical safeguards, are in place to protect patients’ health information.

While auditors will look closely at how compliance requirements are being met, they will also identify areas where companies can make improvements. At the same time, when the risk of medical identify theft is high and security policies are not being strictly adhered to you may be at risk to fines and penalties.

What can you do to prepare, whether you’re scheduled for an audit or not?

Review the lifecycle of all health information created in your organization and document where the information is created, how it’s maintained, and how it’s disposed of.
Develop a compliance checklist that is reviewed and updated regularly.
Be sure policies and procedures are documented and are an integral part of new – and on-going – employee training.
For document destruction, introduce a shred-all policy to ensure all sensitive documents are securely disposed of and permanently destroyed.

For more information about Medical Records Destruction Solutions, visit http://www.shredit.com/medical-records-destruction

How Safe is Off-Site Document Destruction?

Thu, 08 Mar 2012 14:01:16 GMT

Off-site document destruction can be risky business... and at worst lead to a security breach.

First off, please check out the presentation below for an introduction about why on site shredding services is the most secure method.

For optimal results, please use either Internet Explorer or Firefox to view the Prezi presentation.
Please give the presentation a couple of seconds to load. You can monitor the progress by watching the blue line stream underneath the presentation.
Once you have hit "Play", click "MORE" to select the different viewing options available.

The first concern is how confidential documents are stored before they are picked up. If they’re in open bins or boxes – rather than locked consoles – they can be easily accessed by anyone.

Transporting un-shredded sensitive data also increases the risk for a security breach. Do the collection trucks make numerous stops? Do trucks sit unattended? This can increase the risk of information getting into the wrong hands.

Some companies sort paper before it is shredded to improve recycling grades – and that means confidential information is exposed.

At the same time, off-site destruction means there’s no opportunity to watch the actual paper shredding process, and really, no positive proof that documents have been properly destroyed.

On the flip-side, the entire process is much more secure when documents are shredded by a document shredding company – behind a locked gate in a truck parked outside the workplace. Security experts also recommend locked consoles for document storage and regularly scheduled service. A Certificate of Destruction after each shred verifies that confidential documents have been securely destroyed.

Of course, some businesses have special requirements and need off-site shredding services. What’s most important is that those businesses partner with a recognized document destruction company that provides a secure chain-of-custody process for document disposal from start to finish.

Still have questions? Explore the presentation below for more information about why mobile shredding services at your location, is the most secure method.

What Are Your Document Security Breach Risks?

Wed, 29 Feb 2012 13:33:04 GMT

With all the press on security breaches these days, many businesses are taking a long, hard look at their own document security systems.

Good thing.

A 2010 U.S. study showed that the cost of a data breach is estimated to be $214 per compromised record and an average of $7.2 million per data breach event. The Ponemon Institute, which did the study, says you also have to factor in indirect costs such as a damaged reputation and lost customer business.

How does a business figure out its information security risk?

Identify and assess the risks to confidentiality, integrity and availability of information. And, you can do that in a few different ways.

Do your own risk assessment as a start. Meet with heads of departments and discuss what security policies are in place, if there is effective employee training about security policies, and where security breaches might occur.

Do a more structured Risk Assessment Survey. For example, the survey at http://www.shredit.com/Shredding-Service/Risk-Assessment-Survey.aspx looks at how you are managing information security.

Partner with a recognized document shredding company that will do regular security risk assessments of your workplace as part of its service. The company will make best practices security recommendations. For example, introduce a shred-all policy so that all unneeded documents are destroyed on a regular basis; use locked consoles placed strategically throughout the office for secure document disposal; and have your confidential documents destroyed on-site in a locked area on a mobile shredding truck. Also, you should receive a Certificate of Destruction immediately after each shred.

Security Breaches - Governments are at risk too [INFOGRAPHIC]

Thu, 23 Feb 2012 10:10:32 GMT

Here’s a common scenario. You call a government office because you’re having problems filling out a form on their website. You tell the person you’re uncomfortable providing private information online and they reply without a beat: “Don’t worry; we have all kinds of security measures in place.”

But it’s pretty hard not to worry.

Security breaches in government institutions are such a common occurrence today. A report shows that insiders are behind 42 percent of government breaches – and that’s a 68 percent increase from 2008.

Whether malicious or accidental in nature, any security breach point needs to be addressed and taken seriously.

How to do that? One way is to partner with a reliable document destruction company, have sensitive paper and e-media documents destroyed securely and regularly, and stay abreast of privacy rules and regulations.

Now we’re talking security measures.

Are Your Documents Being Destroyed Before They’re Recycled?

Thu, 16 Feb 2012 15:45:35 GMT

It feels good to do your part for the environment – and recycling paper is one of the gold standards.

Business plays a big role considering that the average office worker in the U.S. uses 10,000 sheets of copy paper each year, according to the U.S. Environmental Protection Agency. And, we’re doing a good job. In 2010, 63.5 percent of the paper used in the U.S. was recovered for recycling. The Paper Industry Association Council says that number represents an 89 percent increase in the recovery rate since 1990.

So here’s the thing. Most of the paper sent for recycling by business should be shredded paper. Keeping customer and employee information private is the law, and that means securely disposing of sensitive documents when they’re no longer needed. Shredding paper is the most secure method.

While some document destruction companies provide recycling services too, it’s important that your documents are completely destroyed before they’re sent to a recycling facility. The worst case scenario is that they’re being sold to another company for paper revenue before they have been shredded.

To be sure, partner with a shredding company that has a first-class reputation and a comprehensive document destruction program. All documents should be shredded into confetti-like pieces on site at your office location in a locked area on a mobile shredding truck before they are sent for recycling. You should also receive a Document of Destruction immediately after each shred.

How Safe is Off-Site Document Destruction? Take 2

Thu, 09 Feb 2012 13:56:43 GMT

Off-site document destruction can be risky business... and at worst lead to a security breach.

First off, please check out the presentation below for an introduction about why mobile shredding services is the most secure method.

The first concern is how confidential documents are stored before they are picked up. If they’re in open bins or boxes – rather than locked consoles – they can be easily accessed by anyone.

Some companies sort paper before it is shredded to improve recycling grades – and that means confidential information is exposed.

At the same time, off-site destruction means there’s no opportunity to watch the actual paper shredding process, and really, no positive proof that documents have been properly destroyed.

Start the New Year Right: A Clean Office Can Improve Security

Wed, 08 Feb 2012 15:32:57 GMT

The start of a new year is always a good time to do some housekeeping in the office. It’s nice to work in a spotless, uncluttered space but more importantly, an organized and clean office is an important part of document security and minimizing data security risks.

How’s that? At its most basic level, a big part of document security is about storing documents safely whether they’re being kept on file for a certain amount of time, or they’re ready to be disposed of safely.

Here’s a checklist to help get your office in order.

Employees’ Work Space: Have every employee clean their desk areas to free up and organize their space. Provide desktop organizers or trays.
Activity Centers: General activity centers will help keep things organized. A Reference Center, for example, would include binders, manuals and dictionaries. A Supply Center would contain office and paper supplies.
Storage: Be sure to have a good system for filing, dating and then disposing of documents according to privacy legislation.
Document Disposal: Partner with a knowledgeable shredding company that specializes in secure document and eMedia destruction. Locked consoles for documents that needed to be shredded should be placed in high traffic areas around the office. The document shredding service provider should come regularly to shred materials on site and in a locked and secure area at your office location. You should receive a Certificate of Destruction immediately after each shred.
Cleaning Service: Be sure your cleaning service does background checks on its employees. You want a clean, secure office across the board.

How to Stop Identity Theft at Tax Time

Wed, 01 Feb 2012 15:38:39 GMT

Tax time is a busy time not just for accountants – but for identity thieves too.

Identity thieves use sophisticated phishing scams online to gather personal information. They also find – and steal – tax returns and other sensitive documents by going through garbage containers and recycling bins.

The cost to victims of identity theft is an estimated five billion dollars per year in the U.S. Furthermore, if your identity is stolen it can be a long and frustrating process to undo all the damage.

It’s important to know which documents you have to keep and which ones you can dispose of securely.

Here’s a guide:

Keep tax returns for four years after they are filed.
Once you have the annual statement for taxable investments, dispose of all the monthly statements you’ve received. Document shredding is the most secure method of disposal. E-waste can be shredded too.
Keep bank statements that back up information on tax returns for up to seven years. Otherwise, shred them.
Destroy canceled checks after a year unless they confirm information on your tax return.
Keep credit card statements for big purchases and charitable contributions. Otherwise, shred statements.
Shred pay stubs after you have received payment.
Keep records of retirement plan contributions indefinitely.

There is more information at the IRS website at http://www.irs.gov/privacy/article/0,,id=186436,00.html.

Celebrate Data Privacy and Security on January 28 – and All Year!

Thu, 26 Jan 2012 15:11:14 GMT

Mark your calendars – January 28 is Data Privacy Day.

Data Privacy Day was started several years ago to increase awareness about data privacy and security. With activities and events taking place in the workplace and at schools and universities, the goal is to encourage dialogue and understanding about data security and protection, and to promote best privacy practices.

Data Privacy Day is recognized across North America and Europe.

The actual date, January 28^th, commemorates the signing of Convention 108 by the Council of Europe in 1981. Convention 108 is data protection legislation that recognizes privacy and data protection security as well as the individual’s right to protection of personal information.

In North America, privacy laws include the Health Insurance Portability and Accountability Act (HIPAA), Fair and Accurate Credit Transactions Act (FACTA) and the Gramm-Leach-Bliley Act. These laws require the secure storage and destruction of sensitive information once it is no longer needed.

One of the best workplace practices is a Shred-All policy. Shredding documents is the most secure method of destruction.

How can your company be part of Data Privacy Day?

Celebrate Data Privacy Day – on January 28 and the weeks following –by promoting the day in company newsletters and by holding security awareness training for employees.

In the past, activities have included government announcements about Privacy Day as well as events in schools, technology demonstrations and instructional videos.

For more ideas and information, visit

http://www.staysafeonline.org/dpd/awareness/businesses-corporations

Data Breach: Patient Privacy and Data Security

Wed, 18 Jan 2012 13:55:32 GMT

“A lot of healthcare organizations figure their mission in life is to treat people and get them well, it's really not about patient data security," Larry Ponemon, chairman and founder of the Ponemon Institute, told InformationWeek Healthcare.

But, of course, it is about patient data security too - and that was his point.

Ponemon was discussing the 2011 Benchmark Study on Patient Privacy and Data Security by Ponemon Institute. One of the most significant findings was that data breaches have risen by 32% in 2011compared to 2010. Most of the data breaches were due to employee mistakes and carelessness – 49% of study respondents cited lost or stolen computing devices while 41 % noted unintentional employee action.

The report estimates that data losses and security breaches cost the U.S. healthcare industry about $6.5 million.

One clear message the study sends is that healthcare organizations – like all organizations that handle sensitive information – need to increase awareness among employees about the importance of safeguarding private information.

Safeguarding means protecting sensitive information until it is no longer needed, then disposing of documents securely. Shredding confidential documents is a secure and trusted method of destruction.

To help determine the level of awareness of document security throughout your organization and your potential risks, take this Risk Assessment Survey.

Workplace Security and The Importance of Policies and Procedures

Thu, 12 Jan 2012 16:33:28 GMT

It’s never been more important for a company to have written policies and procedures about the protection and disposal of sensitive and personal information.

Interestingly, in a recent survey more than 1/3 of businesses in Canada admitted to not having a protocol of any kind for storage and disposal of confidential information.

That’s not acceptable in North America these days.

The law states that private information is properly destroyed when it’s no longer needed. Those same laws have detailed policies and procedures for protecting and destroying sensitive information.

The Fair and Accurate Credit Transactions Act (FACTA), (which protects consumers from identity theft in the US), says businesses that handle credit in any way must have a procedure to protect and dispose of personally identifiable information.

HIPAA, the Health Insurance Portability and Accountability Act, requires that all patient information is properly destroyed – based on written procedures.

In Canada, PIPEDA, the Personal Information Protection and Electronic Documents Act, says organizations must develop and implement privacy policies and procedures that include the destruction of personal information.

The common message: if you don’t have them yet, develop policies and procedures for protecting and destroying sensitive information – and put them in writing.

Employee training is the next step. And, be sure to introduce a shred-all policy so all unneeded documents are securely destroyed on a regular basis.

Written policies and procedures provide employees with information but they also show regulators and, almost more importantly, customers, that your organization is committed to these important practices

Disposing of E-Media: It’s Crushing

Thu, 05 Jan 2012 13:12:54 GMT

It’s important to have a secure disposal plan in place for getting rid of sensitive electronic records.

A lot of organizations don’t.

64% of respondents in a 2009 survey cited in Information Management magazine didn’t have formal procedures or know if or how the destruction of electronic records were managed.

That not only increases the risk of a security breach, but it’s also against the law.

Privacy laws in North America specify that all sensitive documents are disposed of securely when they’re longer needed. What exactly does that mean for e-media?

In the United States, regulations like the Health Insurance Portability and Accountability Act (HIPAA), Fair and Accurate Credit Transactions Act (FACTA) and Gramm-Leach-Bliley Act require you to destroy or delete electronic files or media so that information cannot be read or reconstructed. In Canada, Personal Information Protection and Electronic Documents Act (PIPEDA) regulates how electronic files or media should be handled.

But it’s really not as simple as deleting or erasing information. Powerful forensic software may be able to recover ‘deleted’ or ‘erased’ data. MIT tested this theory and found that 92.4% of sensitive information that had previously been deleted or erased from 158 hard drives was in fact recovered!

How can you be sure sensitive data on old computers is protected and truly destroyed when it’s no longer needed?

Crushing or shredding hard drives and e-media is in fact the most secure method. When e-media is shredded and crushed, all data is 100 percent non-recoverable.

Privacy Laws

Thu, 29 Dec 2011 11:43:18 GMT

How long do you have to keep documents for?

For sure, many businesses are required to keep a variety of records and documents for a minimum amount of time, usually seven years. But the answer really depends on the industry you are in and the legal requirements and privacy laws that pertain to the information. Also, laws and requirements can differ by state and country.

For organizations in the healthcare field Health Insurance Portability and Accountability Act, (HIPAA), requires appropriate safeguards to protect privacy of information for as long as you maintain records. HIPAA also requires that all patient information be properly destroyed when it is no longer needed.

Of course, the legal requirements are not only about keeping documents but also about securely disposing of them when they’re no longer needed.

Other privacy legislation including the Fair and Accurate Credit Transaction Act (FACTA) and the Personal Information Protection and Electronics Documents Act (PIPEDA) in Canada stipulate that businesses have a procedure to destroy sensitive information.

At the end of the day, what’s most important is that every business creates appropriate records retention programs that includes both retention guidelines and secure document destruction.

A shred-all policy and regularly scheduled shredding will protect information and eliminate the potential for identify theft and fraud.

Document Destruction – Prove It

Wed, 21 Dec 2011 15:06:53 GMT

Has your business ever been asked to prove that certain documents no longer exist?

It can happen... and the best way to provide proof would be to pull out an official certificate of destruction verifying exactly when and where document destruction occurred.

Of course, destroying documents that are no longer needed is a very important part of compliance with privacy rules and legislation. And, in North America, there’s a lot of them. In the United States, for example, the Health Insurance Portability and Accountability Act (HIPAA) protects a person’s privacy; the Fair and Accurate Credit Transactions Act (FACTA) protects consumers from identity theft. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) protects personal information.

Privacy legislation, in effect, stipulates that once confidential information is no longer needed, it must be securely destroyed. Shredding documents (and e-media) is the preferred method because after documents have been shredded, they can’t be pieced back together again.

But the other important aspect of compliance that people don’t always think about is the need for documentation – of what and when sensitive documents were destroyed.

To be compliant, your business must be able to prove that documents have been destroyed.

The simplest way to do that?

Partner with a reliable document shredding service that understands privacy legislation in your industry and provides certificates of destruction each and every time it services your location. Also, be sure to keep certificates of destruction on record.

Just in case you may have to prove it one day.

How Safe is Off-Site Document Destruction?

Thu, 15 Dec 2011 16:14:43 GMT

Off-site document destruction can be risky business... and at worst lead to a security breach.

The first concern is how confidential documents are stored before they are picked up. If they’re in open bins or boxes – rather than locked consoles – they can be easily accessed by anyone.

Some companies sort paper before it is shredded to improve recycling grades – and that means confidential information is exposed.

At the same time, off-site destruction means there’s no opportunity to watch the actual paper shredding process, and really, no positive proof that documents have been properly destroyed.

Still have questions? Explore the presentation below for more information about why mobile shredding services at your location, is the most secure method.

How Secure is Your E-Media Disposal Process?

Thu, 15 Dec 2011 13:14:17 GMT

It would be wonderful if you could delete or erase all of the sensitive data that resides on old company computers and ensure it was gone for good.

But you can’t.

In fact, not only does that sensitive data stay on your computer, but it’s easier to recover than you would think.

MIT, for example, was able to recover 92.4%, almost all, of the sensitive information contained on disposed of hard drives; including credit card and social security numbers, medical records, emails and much more! This information had already been either deleted or erased from 158 used hard drives.

Consider that most corporate computers contain sensitive data, and almost half of businesses still stockpile their old hard drives. Add the risks that forensic software programs create and the number of security breach escalate... with the average breach costing $7.2 million!

At the same time, computer ownership continues to grow and research suggests there are over one billion personal computers in use around the world. Some people own more than one computer, and they are upgrading to newer models constantly. With improvements in processor speed, memory, etc., the average length of ownership has dropped from 8 years to 3 years. That’s a lot of computers containing sensitive personal data that need to be disposed of safely and securely.

So, how do you guarantee that sensitive data on old computers is protected and truly destroyed when it’s no longer needed?

Answer: Crushing or shredding hard drives and media is the most secure way to permanently destroy the data. When e-media is shredded and crushed, it is 100% non-recoverable.

For more information regarding e-media shredding, visit http://www.shredit.com/Shredding-Service/What-to-shred/Hard-drive-destruction.aspx

Small Business Security – Understanding the Risks

Wed, 07 Dec 2011 14:39:03 GMT

Your small business is unique. You might think that, due to the smaller size of your business, it isn’t exposed to the same security risks as a Fortune 500 company. Unfortunately, a smaller company doesn’t equate to a smaller risk.

In 2010, Symantec performed a business security survey on small businesses with fewer than 100 employees. It found that 75% of small business owners are somewhat or extremely concerned about their security risk, and 42% of those surveyed have actually lost confidential or proprietary information in the past.

So what should you be doing to secure your company? While it’s important to devote time and resources to securing your technology and protecting your business from cyber threats, you also need to be aware of how to reduce physical risks with your confidential paperwork.

Here’s a checklist to help you get started:

Train employees about what type of paperwork has confidential information.
Limit access to areas where confidential documents are stored.
Understand compliance legislation and document retention policies that pertain to your industry.
Use a reliable document shredding provider to destroy confidential documents once they are no longer needed.

By following these tips, you’ll be taking important steps to protect your company’s confidential information.

Is my paper shredder good enough?

Fri, 02 Dec 2011 11:07:26 GMT

It’s an established security practice that shredding documents is the best way to destroy confidential paperwork and materials. But did you know that how you shred your documents is equally important? While you may think the paper shredder you bought from the local office supply store is keeping you secure, it might not be cutting it…literally.

Here are some key points to consider when evaluating shredding equipment:

Type of cut. Home office shredders typically shred documents in vertical strips. This cut is substantially less secure than a crosscut or confetti shred.

Office materials. Some lower-quality shredders cannot accommodate paper clips, staples or bound documents so your employees must take the time to prep each document prior to shredding.

Multimedia. Credit cards, CDs, hard drives and computer disks must be shredded to maintain security and a less expensive shredder usually doesn’t have the power to shred these tougher materials.

Capacity. Budget shredders can’t handle multiple sheets of paper at once or have a low capacity – meaning it could take a while to shred a large document.

Longevity. An inexpensive shredder is likely to fail under the usage demands of an office because most units simply weren’t designed for that type of wear and tear.

Considering the limitations of a common office shredder and the time and expense associated with operating and maintaining it, a budget shredder may not be saving you money. More importantly, if your shredder isn’t destroying materials in such a way that makes them impossible to reconstruct, your company’s reputation and information security could be at risk.

Mythbusters: Document Shredding Fact versus Fiction

Thu, 24 Nov 2011 14:57:54 GMT

We’ve heard common questions and concerns regarding document shredding, and whether or not it’s a necessity for businesses today. We’ve summarized our responses to those common questions below to debunk those myths.

Four common document shredding myths:

No one looks through my trash so why would I shred? You might be surprised to learn that combing through trash or dumpster diving is a routine activity for many thieves, and it is considered so profitable, it’s been a tactic for some organized crime rings.

I store my records securely so I don’t need to shred. While securely storing your records is a sound security practice, both the United States and Canada have laws that mandate how long businesses should retain records before destroying them.

You can’t recycle shredded paper. Shredded paper can indeed be recycled and used for a variety of consumer products.

My company is too small for a shredding service. Considering a 2010 EPA report found the average office worker uses 10,000 sheets of paper per year; your office is creating more paperwork and waste than you’d imagine.

Armed with a better understanding of these myths, you can begin to separate fact from fiction to better tackle your document shredding solution.

Are you making it easy for identity thieves?

Thu, 17 Nov 2011 15:04:14 GMT

Last month a street sweeper in Aurora, Colorado, found hundreds of dental patient records near a dumpster behind a shopping center. The records contained names, addresses, social security numbers and birth dates of patients. What a field day it could have been for identity thieves!

While police were able to trace the documents back to a dental practice located nearly 20 miles away, the owners of the practice had no idea how the documents ended up in Aurora.

So did the documents blow off a recycling truck? Was an employee careless putting out the garbage? Were the documents stolen in the first place?

It should be none of the above.

Information protection is the law

In the U.S. (and Canada), laws prohibit medical practices from putting sensitive documents such as patient information into the garbage. All confidential information must be protected – and completely destroyed – when no longer needed.

Shred it – for sure

The most secure method of document destruction is shredding. Once paper has been properly shredded, it can’t be reconstructed again. (Keep in mind that identity thieves have been known to painstakingly put hand-torn documents back together again.)

Information security checklist

To protect against security breaches in any type of business, Shred-it, a world-leading information security company, recommends:

Stay up-to-date about privacy laws and legislation in your industry.
Be compliant with all the rules.
Implement a shred-all policy in your workplace.
Partner with a reliable shredding company.

Find out more about Information Protection.

Corporate Security: The Decade’s Top 10 Biggest Data Breaches

Thu, 10 Nov 2011 16:39:15 GMT

Doesn’t it seem like data breaches and security hacks are constantly in the headlines? These news items should serve as cautionary tales that your corporate security must be an ongoing initiative. To give you a little perspective about just how far-reaching data breaches can be, we’re counting down the Top 10 breaches of this decade based on the number of people affected.

The statistics are compiled by Privacy Rights Clearinghouse, and this list was developed by Paul Stephens, director of policy and advocacy.

In 2009 Heartland Payment Systems announced hackers had broken into computers used to process 100 million transactions for 175,000 merchants.
In 2009, the U.S. Department of Veteran Affairs inadvertently compromised the identity of 76 million veterans
In 2009 Supermarket chain Hannaford Bros. Company had a security breach that affected up to 4.2 million customers.
In 2008 Bank of New York Mellon compromised the information of 12.5 million people.
In 2008 CheckFree Corporation reported that hackers hijacked several domain names and tried to install malware on visitor’s computers, affecting an estimated 5 million people.
In 2007, Certegy Check Services disclosed that an employee had stolen the personal information of 8.5 million people.
In 2007, 6.3 million customers of TD Ameritrade had their confidential information potentially exposed when a database was hacked.
In 2006 TJX Company, Inc. announced more than 45 million customer records had been stolen.
In 2006 U.S. Veterans Affairs officials revealed that a laptop containing the personal information of 17.5 million veterans was stolen in a burglary.
In 2005 Card Systems experienced a security breach that exposed more than 40 million card numbers.

Security threats can come in all shapes and sizes. Avoid being one of these statistics by making your company’s security a top priority.

Source: http://abcnews.go.com/Technology/Media/10-top-data-breaches-decade/story?id=10905634

How Secure is the Hospitality Industry? [Infographic]

Thu, 03 Nov 2011 12:04:48 GMT

Most of us associate the hospitality industry with fun activities such as dining out at your favorite restaurant, vacationing at a beachfront hotel, or shopping at your favorite clothing store. But, there’s another side to the hospitality industry that you need to be aware of – how secure is your confidential information at these establishments?

Not very secure, according to a study that revealed more than 919 million records had been compromised over the last six years!

From point of sale systems such as ATM and Interact machines to guest paperwork, you’re providing plenty of sensitive information to hotels, restaurants and bars.

For hospitality managers and directors, it’s critical to first understand your legal obligations to protect your guests’ privacy and then evaluate how well the Security Policies you have in place are protecting your guests and your business.

Shredding Paper and the Environment

Fri, 28 Oct 2011 14:54:15 GMT

Our video series has focused on educating you about the advantages of document shredding as it relates to making your company more secure. But, document shredding has another positive role if your shredding provider recycles the materials – it is environmentally responsible.

Watch our two minute video to see how paper shredding can help your office becomg more environmentally friendly:

Consider these stats – the average office worker in the U.S. uses 10,000 sheets of copy paper each year, or four million tons of copy paper used annually. Office workers generate approximately two pounds of paper and paperboard products every day.¹ With these numbers, you can see how a huge volume of paper is generated – and potentially wasted.

On the other hand, when shredded paper is recycled, the environment benefits from:

Less demand for new lumber; more trees are left in our forests
Less energy and water needed for processing new lumber
Less waste being dumped in landfill sites

Considering these gains, it really makes sense to find a shredding provider that is committed to being green. In addition to asking if your document shredding provider recycles the destroyed materials, you can also gauge their environmental-friendliness by inquiring if:

They participate in other green initiatives such as using biodegradable hydraulic fluids or gas-efficient fleet vehicles.
They use recycled materials in any other aspects of their business.

¹ http://www.epa.gov/osw/conserve/materials/paper/faqs.htm

How to choose a Shredding Company?

Fri, 21 Oct 2011 11:01:59 GMT

As we conclude our video series about the importance of document security and shredding, the next step is to examine what to look for in a document shredding provider? While you may be tempted to make a hasty choice or base the decision entirely on price, document security is too important of a concern to take any risks.

So what exactly should you be looking for when deciding on a Shredding Company? Check out our 2 minute video below to learn some helpful tips:

When making your decision, use the following checklist when looking for a document shredding provider:

Has an excellent reputation and can provide references
Understands laws, especially as they pertain to your industry
Employs personnel that have undergone rigorous training and a background check
Offers a security risk assessment
Provides secure, locked consoles for documents prior to destruction
Shreds all documents in a locked on site area where the document handler is the only one with access
Gives you the option of watching the document destruction and provides a Certificate of Destruction
Uses cross-cut shredders and can accommodate other media types such as CDs and disks
Recycles all shredded paperwork

By following this checklist when you research potential document destruction providers, you will be able to make an informed choice about who to use…and who may be a cut-rate provider that’s not really providing you a secure solution.

Why is data security important?

Thu, 20 Oct 2011 11:13:28 GMT

In any company it is important to pay attention to the details. Understanding new legislation, developing compliant policies and responding to day-to-day questions and issues is enough to keep anyone busy for more than 40 hours each week.

Let’s look at the medical and healthcare profession specifically. HIPAA legislation and ensuing rules and regulations have been enacted to protect patients’ privacy, but you have to wonder whether the rules are really being followed when you read articles such as, “28 Health Data Breaches in the Past 6 Months.”

Published on September 2, 2011, the article details 28 security breaches with a few notable ones including:

A staff member at a VA Medical Center in Kentucky took home his laptop without authorization that contained the medical records of 1,900 patients.
The physical medical and billing records of roughly 1,200 patients went missing during an office move at Fairview Health Services in Minneapolis.
Southern California Medical-Legal Consultants unknowingly had medical files of almost 300,000 Californians unsecured on the internet.

While the causes of the breaches vary from carelessness to theft, when added together, this six-month period produced breaches that will potentially compromise the security of hundreds of thousands of innocent patients!

That is why it is so important for your company to uphold your security policies.

Here are a few best practices every healthcare provider should implement:

Hire a director of compliance or legal counsel who can provide guidance and internal audits.
Restrict or manage employees’ access to sensitive patient information.
Designate an annual budget for security management systems.
Train employees on current HIPAA legislation and perform audits to ensure it is followed.
Develop strict security policies for any employee who uses laptop or mobile devices to access patient information.
Destroy confidential paperwork, records and billing documents in a timely and secure manner.

With these common sense guidelines in mind, you can implement policies and build a culture of trust that makes security everyone’s responsibility.

What to Shred?

Fri, 14 Oct 2011 10:35:09 GMT

In our first two videos, we’ve established the importance of keeping your company secure and your obligation to comply with information security privacy laws. We’ve also established the fact that shredding confidential information is the preferred way to destroy your information once it is no longer needed.

But, do you know exactly what to shred? Watch our 2 minute video below for tips on what you should be considering when deciding what information requires shredding services:

Certain information is obviously confidential and should be destroyed through document destruction such as:

Personal information with a signature
Account numbers
Patient medical information
Financial documents
Legal contracts or information

During the course of typical work activities, it is likely that your employees are also generating a lot of paperwork that you might want to consider protecting through document shredding such as training information, new product reports, performance reviews, marketing information, pricing initiatives and more. If this information is either lost or stolen, it could represent a major risk.

The recommended solution to mitigate as much risk as possible is to simply shred everything – a shred all policy. A shred all policy eliminates any confusion about what to shred because all confidential information is shredded after any retention periods are met. In addition to paper shredding, your security policy should extend to destroying non-paper products such as CDs and hard drives with shredding services.. Finally, don’t overlook how you store your documents prior to shredding because unless they are in a secure, locked console, they could be removed or stolen.

Why Outsourcing Makes Sense

Thu, 13 Oct 2011 10:02:38 GMT

Your employees face more distractions than ever in the workplace. From constantly buzzing mobile devices and cluttered email inboxes to office gossip and busy meeting calendars, it is easy for your employees to become distracted from their core responsibilities.

In fact, according to a recent survey by Workplace Options, 53% of employees report that distractions in the workplace hinder their productivity and 42% of workers either arrive early to work or stay late to avoid such distractions. Jonathan Spira, chief analyst of the economic research and advisory firm Basex, estimates that U.S. companies lose roughly $650 billion per year to workplace distractions.

Given these astonishingly high percentages and dollar amounts, what should you do to help employees become less distracted…and more productive?

One effective strategy is to minimize interruptions. In regards to electronic communications, you can implement department wide information “holidays,” where the use of email and smart phones is restricted for a specified length of time, enabling your employees to better concentrate on each discrete task. If you have enough office space, you can also designate “now” offices that cubicle employees can use on-demand if they need a quiet place to complete an assignment, make a phone call, etc.

Another way to improve productivity is to outsource tasks that drain your employees’ time and efficiency. Consider the case of in-house document shredding. In order to shred a document, your employee must stop what he/she is doing, prepare the document for shredding by removing binders or paperclips and then feed the paper through the shredder. This task may only take five minutes, but if it occurs three times during an average work day, that translates to a loss of 15 minutes per day or 75 minutes per week.

If you outsource your shredding to a reputable document destruction provider, employees simply need to discard materials in the appropriate bins and continue their work day. Employees remain focused and your company continues its culture of high security – a winning model.

What are Privacy Laws?

Fri, 07 Oct 2011 08:24:40 GMT

In the second video of our series, we will provide you with a quick overview of privacy laws. Protecting customers’ or patients’ confidential information is not only the right thing to do but also the law. Not knowing the law does not exempt you from following it.

Please take a few minutes to view our 2 minute video on privacy laws:

In the United States and Canada, legislation specific to certain industries has been passed to protect individuals’ confidential information. For example in the medical industry, the Health Insurance Portability Accountability Act (HIPAA) was passed in 1996 to protect patients’ health information. Specifically, the Privacy Rule outlines standards for the use, disclosure and disposal of patients’ health information.

The Gramm-Leach-Bliley Act (GLB) was passed in 1999, and contains privacy provisions relating to consumer financial information and how to safeguard data. In 2003, the Fair and Accurate Credit Transactions Act (FACTA) was passed with specific guidelines to protect consumers’ information.

PIPEDA, the Personal Information Protection and Electronic Documents Act is a law that Canadian businesses need to abide by when using and disclosing personal information. This Act also addresses the use of electronic documents.

The laws are just a few examples of the vast amount of legislation that has been created and passed over the last 15 years. Given that compliance is not an option and violations can be punishable with fines and even jail time, it is critical to not only make yourself aware of the privacy laws that apply to your industry but to ensure your have the correct processes and procedures in place to make sure you are abiding by them.

What should you do to ensure you complying with the privacy laws?

Understand privacy laws and how they apply to your business
Be compliant, with a clearly communicated information security policy
Store documents securely and shred them once they are no longer needed
Use a reliable shredding services and consider shredding all documents and implementing a shred all policy

What's the state of information security?

Thu, 06 Oct 2011 08:38:48 GMT

Information security and how well companies are protecting their confidential data is a popular topic, frequently making television, newspaper and internet headlines. A recent study by PwC US, in conjunction with CIO and CSO magazines, provided some quantitative data about the current state of information security.

The study reflected the opinions and policies of 9,600 security executives from 138 countries. When asked to define their position on information security, the executives responded with:

43% classify themselves as “frontrunners” and think they have an effective, proactive security strategy.
27% identify themselves as “strategists” and felt they had the right security plan but didn’t always execute it.
15% felt that they were “tacticians” while another 14% felt they were “firefighters” because they simply responded to security threats and issues.

These statistics illustrate that more than 4 out of 10 executives feel their security policies are on the leading edge. Yet, as the research dug deeper into the company’s security policies, only 13% of the companies actually received the “leader” or “frontrunner” designation.

To help you understand what makes a company a leader in security, we’ve outlined a few criteria:

Develop and implement a comprehensive security policy that covers electronic and paper information.
Understand the threats unique to your company and how to mitigate the risks.
Appoint a security information executive or CIO that reports at a high level on security policy and effectiveness.
Earmark a security information budget to ensure the initiative has enough funding to be successful.

With these tips in mind, you can evaluate how important of a priority information security truly is and whether your company is doing everything it can to protect its information and ensure a successful future.

Click here to view the complete survery

How to Develop a Social Media Policy

Tue, 04 Oct 2011 09:36:10 GMT

Social media websites continue to grow enormously in popularity. Consider these stats – Facebook had one trillion page views in June 2011, Twitter reported 100 million active monthly users and LinkedIn had 63% more visitors in June 2011 than it did for the same month in 2010.¹ While these social sites were initially viewed as enjoyable ways to maintain contact with friends and colleagues, many companies now use social networking channels to educate and engage customers or prospects.

This opportunity to connect with individuals on a more personalized level also comes with increased risks, particularly when considering your company’s security policy. We’ve outlined a few common security challenges associated with social media:

Fraudulent attacks. Phishing emails, viruses, click-jacking or malware are commonly found on social networks.
Brand hijacking. A company’s page is breached or hacked and false information is posted.
Corporate content. Proprietary or confidential information is shared by employees or they distribute company updates that are incorrect.
Electronic communications. Employees use low-security social sites to collaborate or share high-value, confidential documents.

Given these concerns, what should you do from an operational perspective to ensure social media is an asset, as opposed to a liability?

Outline current and intended social media usage and ensure these activities are aligned with your company’s goals…and its security policies.
Perform a risk assessment to identify and quantify the various, unique threats associated with your social media initiatives.
Enhance your current security policies to include social media guidelines such as: appropriate/inappropriate employee use, information security policies, marketing and communications usage and vendor management plans.
Provide social media training so employees receive practical demonstrations of what constitutes acceptable use and what types of information can/cannot be shared.
Monitor social media channels to ensure that employees are adhering to security policies.

By first examining the risk factors and then extending current security policies to encompass social media, you can create a social media presence that showcases your company – without compromising its security.

¹http://www.ababj.com/briefing/7-steps-to-effective-social-media-risk-management-2301.html

What is Information Security?

Thu, 29 Sep 2011 10:44:14 GMT

At Shred-it, we take your security very seriously. To help inform you and provide an engaging way to learn more about information security, we’ve created a series of five How-to videos. In our first video, you’ll learn that the majority of security breaches happen unintentionally and are often caused by employees who haven’t been trained about the types of information to safeguard or how to protect it.

This lack of education and knowledge comes with an expensive price tag:

9 million Americans and 2 million Canadians are victims of identity theft annually.
Identity theft costs victims in the U.S. approximately $5 billion dollars, taking 20 million hours and over $150 million to resolve.

Given these astonishingly high numbers, what should you be doing to secure information? One straightforward solution is to eliminate the security risk associated with paperwork by implementing a shred-all policy in your workplace. More than shredding confidential information such as receipts, billing information, credit checks, etc., a shred-all policy destroys all office paperwork. By securely destroying every piece of paper, you’re seriously reducing your security risks.

Get more information about a shred-all policy and tips for creating a secure company by watching our two minute video below:

Who's looking at your confidential business information?

Fri, 23 Sep 2011 10:12:02 GMT

An information security breach, identity theft, and improper document destruction practices put your business at risk.

View the infographic to learn interesting facts on how you can protect your business and customers from dumpster diving, a data breach and identity fraud.   You will also learn about the importance of reputation protection, paper shredding, and following a Shred all policy.

Document security is important, ensure you, your employees and your customers are protected with
Shred-it Document Shredding.

Download a PDF version of this Information Security  infographic.

How to create a secure workplace

Thu, 22 Sep 2011 08:57:39 GMT

As business owners and executives, you understand the importance of securing confidential information. It’s not only the “right thing to do” for your customers and employees, but it’s also required by law. Typically, businesses begin by developing security policies, a communication plan and then rolling them out company-wide.

Unfortunately, as we often witness, that’s the extent of the company’s security efforts. The security policy is rarely fully adopted; exposing the company, its customers and employees to tremendous security risk.

Given this scenario, what can you do to ensure your security policy becomes an important part of your corporate culture?

Make sure your security policy has executive-level support so VPs, directors and managers can lead by example.
Create a realistic training plan to educate employees about the security policies in stages, allowing your employees to retain what they learn.
Keep security top-of-mind by regularly communicating the latest threats, scams and security news to employees.
Enlist the support of other departments such as IT and Human Resources to perform login audits, training sessions, etc.
Remind employees that security isn’t limited to protecting customers – a secure company protects them as well.
Work with finance to ensure that you have a budget for your security policy efforts and training.

By making sure your security policy has these six points of support, you’ll be well on your way to creating a dynamic policy that is integrated into corporate culture…and keeps your company secure.

Protecting Patient Privacy - How Important is it? [Infographic]

Wed, 14 Sep 2011 13:24:00 GMT

Patient privacy continues to make headlines. A search of today’s Google News revealed an article about a breach at the North Bay Regional Health Centre (NBRHC) in Ontario and another one in North Carolina about a doctor who received a $40,000 fine.

In the case of the NBRHC, during a privacy audit, the facility discovered that an employee improperly accessed files of up to 5,800 patients. The breach in North Carolina occurred when the practice was moving offices, and a box of records containing confidential information was accidentally discarded at a recycling center!

As both of these incidents demonstrate, whether caused by malicious intentions or carelessness, these breaches generate negative media coverage, expensive fines, and most importantly, jeopardize a patient’s privacy. By making privacy protection a priority today, you can avoid being tomorrow’s health care news.

How to protect Customer Privacy?

Wed, 07 Sep 2011 16:06:32 GMT

Building your reputation as an honest company begins by paying attention to the variables that influence public perception. From exceptional customer service and high-quality products to environmentally responsible business practices, many factors influence how people perceive your company and whether it’s trustworthy.

One variable that’s been in the headlines is how well (or poorly) a company protects its clients’ confidential information. Stolen laptops, low-security passwords, outdated firewall protection and misplaced client records are just a few of the ways that security breaches, and ensuing identity theft, have occurred recently.

As a company that takes its responsibility to information security seriously, you can promote this distinction to employees, clients and prospective customers. Here are a few suggestions:

Begin your “security-centric” thinking in the interview process by asking prospective employees questions about information security so you can gauge whether it’s important to them.
Emphasize your data security achievements and milestones during new employee orientation.
Devote a section/subsection of your website to your company’s security initiatives and how they help keep client information protected.
Promote your company’s new security programs or new initiatives in a press release, through social networks, etc.
Highlight your track record of security in fact sheets, presentations, brochures or other marketing materials.

These five points can go a long way toward distinguishing your company from the competition, as well as emphasizing that your corporate culture of trust protects everyone from employees to clients.

Keeping Customer Information Secure

Wed, 31 Aug 2011 16:01:16 GMT

Many forward-thinking companies have already developed and implemented security policies that are devoted to keeping company and client information secure. Yet, certain departments within your company might have specific risks that aren’t covered by the broad-spectrum corporate security policy.

For example, consider your sales team. The sales team can create unique security risks based on their access to customer and prospect information, use of contracts/agreements and even their mobile workplace. To add to the challenge, your sales people are focused on making sales and hitting their goals so corporate policies can feel cumbersome or counterproductive to their sales effort.

The best solution is to identify the unique risk factors and mitigate them with easy-to-follow security practices and solutions:

Risk: Accessing client and prospect information
Solution: Have IT monitor logins periodically to ensure sales is only accessing the information they need for specific accounts or sales

Risk: Communicating sensitive information via email
Solution: Train employees about what information can be shared electronically and encrypt all emails/attachments

Risk: Working off site or from home
Solution: Educate employees about the importance of using only secure networks and that security policies must be followed, even from a remote worksite

Risk: Using portable technology including laptops, USB drives and smart phones
Solution: Keep security software current on all devices, use encryption software and ensure all items are password-protected and default to a locked screen when idle

Risk: Generating confidential paperwork such as contracts, renewals, rate information, service level agreements, etc.
Solution: Implement a shred-all policy where all paperwork (regardless of what it contains) is shredded securely once it is no longer needed

By thinking of your sales team’s daily activities and how they might pose a security risk, you can then identify solutions to create a more secure environment for your clients, employees and your company.

Your company’s security extends beyond customer information

Wed, 24 Aug 2011 16:03:07 GMT

Shredding confidential paperwork is an important way that you can protect your customers’ privacy. Destroying confidential information such as: customer lists, sales stats, any financial records and personnel files… that’s all sensitive information. But there’s much more. Legal documents, cancelled checks, account records, computer printouts they’re nobody’s business but yours. Then there’s advertising misprints, tax records, invoices and price lists. Inventory lists, outdated business records, new product proposals, credit card receipts and competitive information. If they are confidential or sensitive they need to be destroyed when it’s no longer needed?

But how are you disposing of other paperwork that is generated on a daily basis? For example, internal documents detailing product launches or pricing initiatives could be a goldmine for competitors if such information was lost or stolen. It’s clear your security policy and document handling practices must be extended to encompass corporate materials as well as client information. We’ve outlined a few steps:

Identify the corporate materials that are classified as confidential and should be protected.
Develop a comprehensive overview of how these internal documents are generated, revised and stored so you can spot any security weaknesses.
Encrypt the data on portable devices such as smart phones, tablets, external memory drives and laptops so company information is better protected in the event of theft or loss.
Extend the same secure document handling practices used with client information to corporate documents, and shred documents once they are no longer needed.

Do you have questions about how to get started? At Shred-it, we’ve been helping keep companies secure for more than two decades. Contact us today!

Tips for Improving Patient Security

Wed, 17 Aug 2011 14:38:48 GMT

Medical data breaches continue to make the headlines these days, even though privacy legislation mandates compliance and violations are punishable with fines and/or jail time. With the average price tag of a breach costing $6.6 million, preventing a breach is critical to the success of your health care organization.

FierceHealthcare, a leading provider of daily news for health care executives, recently interviewed Andrew Lenardon of Shred-it International to tackle this topic and explore his expertise within data security.

What unique security issues face health care providers?

Employees do not always understand or receive proper training about privacy compliance and security protection requirements.
There is a lot of paperwork generated on a daily basis, and anything confidential (that does not need to be retained) must be destroyed in a secure manner.
Hard drives in copiers, laptops and external storage devices can contain confidential information so they must be handled securely.
Breaches are likely to occur due to human error or negligence

Given these variables, what can health care professionals do to minimize security risks?

Identify the unique security challenges within your organization.
Understand how data is handled internally and where it may be exposed to risk.
Consider implementing a shred-all policy, so no one has to decide what is or isn’t confidential
Make funding your organization’s compliance and security efforts a top priority.

Andrew Lenardon is the Director of Indirect and Solution Sales for North America at Shred-it International. To read the entire article, please visit http://www.fiercehealthcare.com/story/tips-patient-data-security-policies-education-funding/2011-07-22.

Why Document Security & Reputation Management Are Critical

Wed, 10 Aug 2011 15:03:13 GMT

Is an impeccable reputation important to your business? According to a World Economic Forum survey, more than a hundred executives ranked a company’s reputation as the second most important measure of success, with quality being number one. It’s not surprising that a company’s reputation is such a high priority because a great reputation can help your business win new customers, develop partnerships, command a higher price in the marketplace and improve customer loyalty.

While the correlation between reputation management and information security may not be obvious at first, consider the repercussions of poor information handling. Improper handling can lead to a security breach or identity theft and the negative impact of these risks are far-reaching and expensive. Restitution payments, legal fees and fines are only part of the picture. Companies facing a security breach inevitably are the focus of negative media coverage, increased customer attrition, higher employee turnover and lost business – all of which contribute to a diminished brand image.

That’s why it is so critical to view information security as an essential part of managing and protecting your company’s reputation. At Shred-it, we recommend taking the following steps:

Examine the paperwork lifecycle to understand how it is passed between departments, outside parties, etc. so you can spot any potential weaknesses or loopholes.
Limit access to confidential information within your workplace by locking filing cabinets, limiting access to the record room, etc.
Train employees on how to handle confidential information and educate them about the legal obligation of protecting every individual’s privacy.
Implement a shred-all policy, where all documents are shredded once they are no longer needed.

By following these steps, you can better establish a process that keeps confidential information secure – and protects one of your most valuable assets – your reputation. To learn more, please download your complimentary copy of “The Business Guide to Document Security & Reputation Management” today.

Raising the Stakes of HIPAA Compliance

Thu, 04 Aug 2011 09:22:45 GMT

As security experts, we have long understood that serious violations of the Health Insurance Portability and Accountability Act (HIPAA) can lead to costly fines and even jail time. Many professionals may believe that a misdemeanor is only punished with a warning and a fine, however the example below, will show you otherwise.

Consider the example of Huping Zhou. Zhou was working as a medical researcher at the UCLA School of Medicine in 2003. In late October 2003, Zhou received a notice that he was going to be terminated in three weeks based on his job performance (unrelated to any privacy violations). During the following three week period, Zhou accessed the organization’s electronic health records system and viewed medical records of his supervisors, co-workers and celebrities without a legitimate or authorized reason.

In April 2010, Zhou pleaded guilty to four misdemeanor counts of accessing and reading confidential medical records. As a result, he was fined $2,000 and sentenced to four months in jail. With that sentence, Zhou became the first person in the United States to receive jail time for a minor HIPAA breach.

The surprising fact for most medical and legal experts was the severity of the sentence as Zhou didn’t sell or profit by accessing this information – he only viewed it. This ruling clearly demonstrates that the legal system is serious about enforcing and punishing all types of HIPAA violations, not only ones with malicious or criminal intent.

Given the seriousness of HIPAA enforcement, what should you being doing to ensure compliance?

Employ a security officer or manager who is responsible for maintaining and enforcing HIPAA-compliance standards.
Train new hires on secure information handling practices that are HIPAA-compliant.
Limit access of confidential records to only those who require it.
Facilitate regular training sessions to keep employees up to date on HIPAA legislation.
Develop an incident response procedure in the event of a breach.
Dispose of confidential information securely by shredding it once retention periods are met.

Following these steps will help to create a solid foundation for ensuring HIPAA compliance for your medical practice, covered entity and business associates. To learn more about medical compliance in the U.S. and Canada, please visit this page.

Outsourcing Shredding is More Secure than Doing It Yourself

Wed, 27 Jul 2011 11:00:40 GMT

Have you noticed how many security breaches are in the headlines these days? From medical records being stolen from an unlocked van to confidential documents being left in recycling bins, there are numerous examples of companies that were sloppy in the handling of confidential paperwork. This carelessness has resulted in the victims’ identities becoming comprised or stolen, while the negligent companies have faced costly fines, legal fees and restitution.

As a response, we’ve seen a growing number of companies investigate the ways they can improve their document security policies, including shredding documents once they are no longer needed. At first glance, document shredding sounds straightforward and not any more difficult than buying a shredder from the local office supply store. There are many variables, however, that must be considered to ensure documents are destroyed thoroughly and securely.

We’ve outlined a few common challenges that companies should consider before making document shredding a company policy:

Equipment concerns:

Strip shredders, the smaller ones commonly found in personal offices, do not provide secure document destruction because the vertical strips can be reassembled.
Personal shredders oftentimes fail under the demands of an office environment, leaving confidential information intact until the equipment is replaced.
Personal shredders cannot shred tougher materials such as staples, binders, paperclips, CDs, DVDs and more.
Computers and photocopiers may expose confidential data, even with hard drive erasing software – only destroying the hard drive professionally is 100% reliable.

Personnel concerns:

Shredding paperwork uses employees’ time, taking them away from other, more productive activities.
Just shredding your documents doesn’t make your business legally compliant – in the event of a suspected breach, a Certificate of Destruction from a reputable shredding provider is required to show proof of destruction.
Unauthorized employees may be exposed to sensitive information as many companies use an administrative-level employee to reduce the resource costs of document shredding.
In house shredding cannot respond to spikes in demand, which is commonplace in many businesses.

Financial concerns:

According to the Ponemon Institute, in 2010, the cost of a breach was $214 per compromised record, and a data breach event averaged $7.2 million.
In addition to restitution, companies face expensive legal fees, and possibly, fines or criminal investigations.
Intangible costs such as the damage to a company’s reputation, negative media coverage, increased customer attrition rates, etc.

Knowing what to Shred is Vital

Tue, 26 Jul 2011 15:12:33 GMT

Paper consumption continues to increase, despite the advances in technology. So does the risk of information falling into the wrong hands. All personal data and confidential information needs to be protected. It's not just good business practice. It's the law.

Have you ever wondered what should be shredded and placed in your console and what can't?

Knowing what to shred is vital. This handy poster about 'What to Shred' will help you determine if you’re shredding everything that’s appropriate, and may offer some new information. Consider sharing it with your employees to help them achieve maximum document security in your workplace.

You may also want to consider employing a Shred-All policy to ensure all confidential information is being securely disposed of.

Protect yourself, your company and your customers, and ensure the safety of your confidential information. Download your 'What to Shred' Poster now

Analyzing the Cost of In House Shredding

Thu, 21 Jul 2011 10:44:11 GMT

As companies take steps toward making themselves more secure, we’re happy to see that many are recognizing the key role of document shredding. Shredding does more than safeguard your customers’ confidential information – it also keeps employee information, company financial records and proprietary business documents from getting into the wrong hands. When done thoroughly and securely, shredding is simply the best way to ensure confidential documents are destroyed.

At first glance, in house shredding seems more affordable because you aren’t adding expense by hiring a vendor to manage your document destruction. However, when you break down the costs, in house may not be as affordable as you think. Here’s a way to calculate the average employee time spent performing your document shredding:

How many people do you employ?
How many people in your office need to perform shredding on a weekly basis?
A reasonable (even conservative) estimate would be that about 20% of the workforce or 5 people shred documents.
How long does it take to shred documents? Remember to factor in the time it takes to get to the shredder, remove paper clips and staples, feed the document, etc. We’ll assume 30 minutes per person in this example.
Time spent shredding per week:
30 minutes/week x 5 employees = 150 minutes/week
Time spent shredding per month:
150 minutes/week x 4 weeks = 600 minutes or 10 hours of lost time each month!

Now, let’s translate 10 hours into a more meaningful number. We’ll assume your business will try to use a lower cost resource such as someone at the administrative level to handle the shredding. According to salary.com, the median salary for an administrative assistant in a major U.S. city is $34,309 or roughly $16.49/hour. Multiplying $16.49 x 10 hours equals $164.90/month or $1,978.80/year.

Remember, this number does not include the additional fixed costs of in house shredding such as:

Cost of document shredding equipment, including maintenance contracts or repair/replacement expenses.
Cost of associated supplies such as wastebasket liners and receptacles.
Cost of physical space dedicated to shredding equipment and collection units.
Cost to dispose of shredded materials.

After weighing these factors and calculating both personnel and fixed costs, you may find that your calculation for in house shredding is higher than what a reputable outsourced document destruction service charges.

Who You Hire Really Matters

Wed, 13 Jul 2011 17:28:00 GMT

Budgets are under as much scrutiny as ever, and as a result, you might find yourself under pressure to reduce operations costs. From negotiating new contracts with vendors to lowering starting salaries or making the new hire screening process less rigorous, the places you might look to save money are limitless. Yet, any money you save during the hiring process in the short term is of little value when compared to the problems associated with not really knowing who you have just hired.

For example, consider the story reported last month by Denver-based 9News, “Nurse accused of stealing identities of hospital patients.” A registered nurse worked for at least five hospitals in the Denver area, and he improperly accessed patient files to steal Social Security numbers and other confidential information. The nurse then used this information to open credit card accounts and make fraudulent purchases. Upon further research, the 9News investigative team learned this nurse had been placed at these medical facilities via a now-defunct nurse staffing agency.

The details are still emerging so it is rash to assign blame to only the nurse staffing agency, but the fact remains – hospitals that used this agency trusted that they were getting a screened and reputable employee, but instead had a criminal working among them.

While legal counsel will sort through the details and patient restitution, all of the associated hospitals have received unfavorable media coverage and lost valuable personnel time due to the event. Down the road, they also may lose new patients and business opportunities due to their diminished reputations.

Given the expense and repercussions, what lessons can you learn from this incident? We’ve compiled a 5-step checklist:

Standardize the application paperwork so you are receiving consistent, comparable information about each and every applicant.
Perform a background check plus a credit check to determine whether the candidate has been forthcoming in the application process.
Include situational interview questions to gauge how well the applicant understands the importance of information security.
Check references and ask questions that are specific to the candidate’s job functions, especially the handling of confidential information.
Use a reputable hiring agency because if their hiring or screening process is poor, you may have a major liability working for you.

By following these five steps, you are more likely to hire responsible and reputable employees that reflect your company’s commitment to information security.

The Price Tag of Insider Breaches

Wed, 06 Jul 2011 16:29:01 GMT

We understand the need to achieve growth and profitability for your business. One way to accomplish these goals are to monitor expenses. Yet, your company’s security is one area where short-term cost-cutting won’t pay financial dividends in the long run.

For example, consider the incident discussed in, “Bank of America data leak destroys trust,” published on May 24, 2011 by the Los Angeles Times. One (now former) Bank of America employee had stolen, "names, addresses, Social Security numbers, phone numbers, bank account numbers, driver's license numbers, birth dates, email addresses, mother's maiden names, PINs and account balances.”

This confidential information was then passed to criminals outside of the bank, who allegedly used the data to commit identity theft. While the details of the breach are still emerging, a Bank of America official anticipated there are roughly 300 victims, with as much as $20,000 stolen from certain individuals.

With those estimates, Bank of America is looking at a theft of roughly $6 million. That number doesn’t factor in any legal fees, restitution payments or customer attrition, all of which make the actual cost much higher. In fact, the U.S. Secret Service, who busted the criminal ring, estimated the cost to the bank would be nearly $10 million. [i]

Think about these figures in the context of your business. Could you withstand such losses?

Given the potentially enormous expense of a security breach, prevention certainly makes sense. We’ve outlined a few internal security tips:

Know who you’re hiring by performing background checks, contacting references or outsourcing recruitment to a reputable employment agency.
Limit network access to keep employees’ access restricted from confidential information unless it is an absolute job necessity.
Monitor employee activity by using software thatsends alerts if certain files are accessed or an employee makes an attempt to download restricted information.
Educate your employees about how to properly handle emails, share files and destroy confidential paperwork once it is no longer needed.
Update your security policies to keep pace with new threats from criminals, employee turnover and emerging technology.

As you can see, these tips are based in common sense, and they are not necessarily difficult or expensive to implement. Yet given the frequency of security breaches, especially insider breaches, many businesses still have a lot to learn about company security. Don’t learn these lessons the hard way by implementing security measures after you’ve had a breach!

At Shred-it, we’re experienced at helping companies of all sizes and industries review their security policies and implement document destruction practices that are secure and reliable. Please visit our service page to learn more about how we can help keep your confidential information secure.

[i] David Lazarus, “Bank of America Leak Destroys Trust”, Los Angeles Times, 24,May 2011, 6, July 2011 <http://articles.latimes.com/2011/may/24/business/la-fi-lazarus-20110524>

Why You Need to Pay Attention to HIPAA

Thu, 30 Jun 2011 12:09:01 GMT

Medical compliance can be particularly daunting because of the complex regulations and evolving policies. An additional concern for many companies is that compliance extends beyond medical organizations. Businesses that function as a Covered Entities (billing services, life insurers, employers, public health agencies, etc.) or companies that execute a Business Associate agreement (lawyers, auditors, consultants, data collection services) must comply, as well.

If you need proof that HIPAA compliance is a major challenge, read the article, “Breaches Lead to Push to Protect Medical Data,” published on May 30, 2011 by The New York Times. Medical breaches have resulted in the improper exposure to a staggering 7.8 million personal medical records over the last 24 months! The article details two recent examples of medical record security breaches:

The personal information of 1.7 million patients, staff members, contractors and suppliers of Bronx hospitals and clinics operated by Health and Hospitals Corporation was breached when electronic files were stolen from an unlocked van.
192 paper records of patients were compromised after a hospital employee left the paperwork on a Boston subway train.

Not only are these breaches frustrating and expensive for the victims, but also imagine the consequences for the company implicated in the breach. From the negative media coverage to the expense of fines and restitution, a major breach could bankrupt a business.
That’s why I emphasize the importance of compliance with every company I advise. Five of my go-to tips are:

Underscore the importance of compliance. Many companies still don’t know what constitutes HIPAA or FACTA compliance – don’t be one of them and learn only after you’ve received a fine or had a breach.
Screen new hires thoroughly. Employees will have access to confidential information as part of their job functions so it is imperative to know who you’re hiring and if they have a criminal background.
Establish a virtual office policy. Both of the breaches I cited earlier occurred when records were taken off site – ensure that employees who use laptops or transport paperwork of any kind are well-trained in security policies.
Destroy all paperwork as soon as it is no longer needed. Paperwork containing confidential information represents a huge risk so destroy it securely as soon as you don’t need it.
Explore outside expertise. With all of the considerations associated with running a compliant organization, you might find that an expert consultant can help you establish information security policies and train staff.

Learn more about HIPAA and how it relates to your company by downloading Shred-it’s HIPAA compliance fact sheet. Do you have questions about making your business operate more compliantly? Please send me a question or comment.

How Secure is Your Business?

Thu, 23 Jun 2011 15:09:46 GMT

Just like you, I operate my own business. While its official classification is a small to medium size business (SMB), there’s really nothing small about it in my mind. In fact, running it takes up most of my time! My goals as an executive for a branch office of Shred-it are straightforward – deliver an outstanding service, operate a profitable company and provide my employees with a positive work experience.

But, running a business can come with unexpected challenges and risks. For example, in my line of work, I’m constantly educating business owners about the challenges associated with SMB security. While security may not be at the top of your list in terms of business objectives, it should be. Security breaches come with an expensive price tag. According to research conducted by the Ponemon Institute in 2010, data breaches cost companies an average of $214 per compromised record, up $10 (5%) from last year.

These figures prove SMB security should be a serious concern, but have a look at these statistics:

United States SMB Security
- 25% of SMBs have never reviewed their document destruction processes
- 6.7 million SMBs have never conducted a security audit
- 36% of SMBs have no protocol for storing and disposing of confidential data

Canadian SMB Security
- 47% of SMBs believe that a data breach would not impact their business
- 640,000 SMBs are not aware of the legal requirements for storing and disposing of confidential data
- 38% of SMBs have no protocol for storing and disposing of confidential data

Stop your company from being a vulnerable target by taking proactive measures to improve how you handle confidential paperwork. To get started, here’s a step-by-step checklist:

Understand the document lifecycle and when it should be destroyed.
Review how documents are stored and consider that limiting access or keeping cabinets or record storage areas locked is a smart, low-tech deterrent.
Conduct ongoing security information training as changes can occur to privacy legislation.
Destroy confidential documents securely as mishandled paperwork is an easy way for Security breaches to occur.
Make security a company-wide initiative – from awareness about the latest scams to reporting any suspicious activities, a culture of trust is a great defense against security breaches.

I hope this checklist has given you new ways to think about your company’s security. Not sure how your business stacks up? Shred-it has created a FREE self-assessment quiz.

Click here to learn more about the state of SMB security through our infographic where we have visualized our findings?

Thanks for joining me this week,

Steve MacKenzie.
Shred-it, Branch Office Executive

Just How Secure is Your Information? [INFOGRAPHIC]

Thu, 16 Jun 2011 11:35:26 GMT

It seems as though nearly every time you turn on the television or glance at a news website, security breaches that expose sensitive information to would-be thieves are making headlines. From the high profile Sony PlayStation hack to the Denver-area doctor who mistakenly left patient records in a dumpster, security breaches occur in many different forms – and can affect businesses of all sizes.

Scroll down to view our infographic that illustrates some very surprising small business security statistics.

How You Store Documents before Shredding Matters

Wed, 08 Jun 2011 18:25:21 GMT

As business owners and professionals, you understand the importance of document shredding and its impact on your company’s security. You may also be considering outsourcing that effort to a trustworthy document shredding provider rather than handle the work in house.

When evaluating different shredding providers, you might be asking all of the right questions about their shredding procedures, yet inadvertently overlooking a critical aspect – how secure are the documents in queue to be shredded? These confidential documents are fully intact, and therefore, pose a tremendous privacy and security risk should they be mishandled.

Mindful of this challenge, let’s examine what you should look for in a document container or console:

Security plate. Much like a beveled or angled slot for a mail drop, a secure console will have a non-removable security plate that prevents documents from being removed once they are deposited.
Static cling-free nylon bag. Due to the fact that even one non-shredded document poses a serious security threat, it is important to choose a provider that lines their consoles with cling-free nylon bags. You’ll be assured that all of the contents are captured and then destroyed entirely.
Easy disposal. Look for document shredding providers that don’t require any sorting of materials or the removal of paper clips, staples, etc. prior to shredding. Many consoles are built with wide feed slots to accommodate larger volumes or paper or even bound materials. Making the disposal of such documents as quick and simple as possible helps ensure employee adherence.
Non-moving. In theory, wheeled consoles sound like an excellent idea because they make transporting the documents to the shredder very easy. The console’s mobility, however, becomes a serious liability when thinking about document security because the entire unit and its contents can be wheeled away…and stolen.

Just as important as the console’s construction are the collection and destruction processes. First, ensure your potential document shredding provider offers regularly scheduled pick-ups. If the pick-ups occur too infrequently and the shredding consoles become filled to capacity, employees may be tempted to dispose of confidential documents in the garbage or recycling bins. Also, if your business cycle has times when you see a spike in confidential document creation, determine whether you can schedule pick-ups with short notice or one-time services.

Another consideration in the document collection process is whether the documents are left unattended once they are removed from the console. In the on site destruction model, the top providers have security checked and bondable personnel securely transport the materials to a truck, where documents are destroyed immediately. This process is highly secure because documents are not taken off the premises while intact, nor are they out of sight and exposed to additional people or weather elements.

Thinking about the entire document lifecycle, as opposed to simply destroying the document, can uncover additional security concerns and potential risks. That’s why finding a reputable and high-quality document destruction provider to walk you through the process is a smart idea for your business today and its future tomorrow.

Considerations of In House vs. Outsourced Shredding

Fri, 03 Jun 2011 09:35:56 GMT

Securing confidential information and protecting it from a security breach must be viewed as critically important for your company, regardless of its size or industry. More than just a moral obligation to “do the right thing,” protecting confidential information and destroying it once it is no longer needed keeps information secure – and maintains your company’s brand as trustworthy and reputable. Equally important, keeping confidential information secure is required by U.S. and Canadian law.

Given the need to protect and dispose of such information securely, you might be facing the decision of whether to implement an in house (using your internal resources) or outsourced document shredding solution. There are many considerations that impact this decision:

Cost. At first glance, using in house resources might seem much less expensive because shredding equipment can be relatively affordable and you already have personnel that can be utilized. But, upon further examination, consider the fact that shredding equipment must be capable of shredding everything from CDs to hard plastics, in addition to shredding documents to such a size where they cannot possibly be recreated. The equipment must also be maintained and serviced to ensure it is in good working condition. Moreover, while your employees may already be company resources, the time and distraction it takes to use the shredder adds up to significant numbers, when considered in terms of weeks/months.
Operations. In addition to the expense of the equipment and personnel labor, another variable is the hassle of preparing materials for shredding. From removing staples, rubber bands or paper clips to hand-feeding the shredder, the task of shredding can be onerous and annoying. Much like the copier that refuses to clear a paper jam, a malfunctioning shredder can waste important time and create frustration. This frustration or anxiety can carry over to other tasks the employee has and can create a less-efficient and less positive work environment.
Security. The reason for having shredding equipment is to ensure confidential documents are disposed of securely. Yet, the in house shredding model creates several security loopholes. One consideration is how the confidential information is handled before it is shredded. Most offices simply have receptacles that contain items “to be shredded.” Unless such containers are locked, third-party cleaning services or maintenance people can simply steal documents after hours – and expose the contents to tremendous risk. Another problem arises when determining which internal personnel is cleared to handle such sensitive records – after all, confidential documents may include accounting statements, employee records, proprietary company data, etc. One disgruntled employee could share a vast amount of confidential documentation, jeopardizing customer, employee and company information.

These variables introduced by an in house shredding model might make you reconsider whether handling such an important task internally really leads to any cost-savings or benefits. A reputable outsourced document shredding provider will eliminate the burden and time of shredding by collecting all documents in secure consoles and destroying them on site. What’s more, you will receive a Certificate of Destruction, ensuring all documents were destroyed thoroughly and securely. Finally, such a service will also have highly trained and screened employees so you can be assured that documents are not exposed to any undue risks.

Time to Spring Clean…Your Documents

Fri, 27 May 2011 14:26:56 GMT

Document storage and destruction is something you take seriously because it is a key component of running a secure and compliant business. But, much like our housework or chores, sometimes the tasks associated with document handling can slip through the cracks or become relegated to the to-do list.

If this scenario sounds familiar, take the same approach as spring cleaning a home and tackle your document handling with a renewed sense of purpose this month. While specific legal retention periods will vary depending on the industry and the document type, we’ve outlined three suggestions to help you get started:

Identify the paperwork that should never be destroyed. Certain corporate documents and records need to be kept indefinitely such as: certificates of incorporation, corporate charter, constitution and bylaws, minutes of board of directors meetings, deeds and easements, stock certificate/transfer records, retirement and pension records, labor contracts and license, patent, trademark and registration applications. Financial documents that should be saved indefinitely include: income tax reports, annual financial statements, accounting records and income tax payment checks plus all documents relating to fixed assets owned by the company and depreciated over time.
Determine what can be disposed of immediately. Memos, outdated forms, to-do lists, notes, old sales and marketing materials, etc. can all be discarded immediately, without any retention period. While most of this paperwork is harmless, internal documents that contain customer information or proprietary company information need to be shredded as opposed to being disposed of in garbage or recycling containers. This situation highlights why a “shred-all” policy may make sense because shredding every document eliminates any confusion or subjectivity about what constitutes confidential information.
Understand your industry’s legal compliance retention periods.
1. Six to seven years. Typically, this information will include sales records such as invoices, monthly statements, shipping papers and customers purchase orders. In addition to sales receipts, you need to keep employee records plus all travel records such as expense statements and receipts. Financial records that need to be kept include personnel and payroll records, such as payments and reports to taxing authorities, including federal income tax withholding, FICA contributions, unemployment taxes and worker's compensation insurance as well as all bank reconciliations, voided checks, and check stubs.
2. Three years. Examples of financial information include monthly and quarterly financial statements as well as personnel paperwork including employee applications, benefit records, expired insurance policies and general business correspondence.

In addition to identifying what paperwork should be retained for specific periods of time, it is also critical to store these important records in boxes that are well-organized and clearly marked with the contents and dates. The record room should be very secure, with limited employee access because its contents are highly confidential.

If you’ve unsure of what to keep, what to dispose of and specific retention periods, it may make sense to seek a professional consultation by a record-keeping or document destruction service. Not only will a reputable company be able to guide you through what needs to be destroyed or retained, but also they can help you dispose of any unneeded documents securely. You’ll then be able to tackle your document spring cleaning with confidence and enjoy the satisfaction of marking a critical item off this year’s to-do list.

What You Need to Know about HIPAA

Thu, 19 May 2011 14:37:19 GMT

Most of us are familiar with HIPAA as an acronym for U.S. legislation associated with medical professionals and health care organizations. But, do you know the practical realities of HIPAA extend far beyond the medical field, affecting the way you store and destroy confidential medical records?

Defining HIPAA

HIPAA, the Health Insurance Portability and Accountability Act of 1996, is a United States federal law that requires health care organizations to, “maintain reasonable and appropriate, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information.” Protected health information (commonly abbreviated PHI) includes: medical records, patient logs, insurance and billing information.

Specifically, the management of private information is detailed through the Privacy Rule and the Security Rule. The Privacy Rule focuses on protecting the usage, transmission and storage of PHI, while the Security Rule specifies administrative, technical and physical security procedures. Both rules are designed to protect an individual’s private and confidential information by standardizing the rules for how it is used, handled, stored, etc.

Who is impacted?

According to HIPAA legislation, the affected parties are, “any health plan, any health care clearinghouse, and any health care provider that transmits any health information in electronic form in connection with the defined transaction."

Obviously, health care providers fall into this definition as do Covered Entities (billing services, life insurers, employers, public health agencies, etc.) and Business Associates. A Business Associate includes contractors or vendors who receive PHI for business purposes including lawyers, auditors, consultants, data collection services, etc.

What does compliance really mean?

At its simplest level, in order to comply with HIPAA legislation, health care organizations must implement and execute policies that safeguard patients’ confidential information. Additionally, health care organizations are required to have a Business Associate Agreements (a contract between a person or company and its associates that have access or use confidential information) with external vendors and suppliers.

Section 1177 (b) of HIPAA outlines the penalties for non-compliance for someone who commits a wrongful or negligent disclosure of an individual’s PHI. Translating these penalties into layman’s terms, a wrongful disclosure can result in a $50,000 penalty and up to one year imprisonment. An offense under false pretenses is judged to be worse, with a possible $100,000 fine and up to five years of imprisonment. Finally, Section 1177 (b) punishes an offense with the intent to sell information with a $250,000 fine and imprisonment up to 10 years.

As you can see, the punishment takes into account whether the violation was intentional and ratchets up the fines and potential imprisonment sentences accordingly. Medical organizations, Covered Entities and Business Associates should note, however, that even an unintentional disclosure could carry a fine of $50,000!

Steps you can take

With a better understanding of the importance of HIPAA and the tangible penalties (fines and imprisonment) plus the intangible setbacks such as diminished patient perception and brand value, what steps can you take today to ensure compliance? One measure is shredding documents containing PHI prior to disposal. HIPAA legislation outlines that document destruction is considered an appropriate safeguard to protect confidential information from intentional or unintentional disclosure.

How Your Old Photocopier Can Cause a Security Breach

Wed, 18 May 2011 16:40:38 GMT

According to, “Digital Photocopiers Loaded with Secrets,” published on CBSNews.com, nearly every digital copier built since 2002 contains a hard drive, much like the hard drive on your personal computer. The copier hard drive stores an image of every document that has been copied, scanned or emailed by the machine.

The security risk occurs because an estimated 60% of Americans do not realize that the copier has a hard drive, and therefore, never sanitize it before selling, giving away or swapping out their current photocopiers. That means would-be thieves simply need to download/print the contents of a copier’s hard drive to gain access to literally thousands of documents – many of which could contain confidential information.

Think this threat isn’t credible? In February 2010, CBS News investigated the photocopier hard drive issue firsthand by going to a warehouse in New Jersey, where they purchased four used printers. It took an IT security expert only minutes to remove the hard drives, run a widely available forensic software program and then download tens of thousands of items in less than 12 hours. The results of the investigation were shocking – domestic violence complaints, pay stubs and even detailed medical records with names, prescriptions and diagnoses. If these documents fell into the wrong hands, not only would they potentially expose innocent victims’ personal information, but also the company that mishandled the printers could receive serious monetary fines and damage to its reputation.

With the seriousness of this threat in mind, what should you do to prevent a copier-related security breach?

Destroy the hard drive. If a photocopier is slated for an upgrade or removal, have an IT professional remove the hard drive and destroy it thoroughly and securely.
Consider encryption hardware. Most copier manufacturers offer security or encryption packages that render the hard drive information unreadable.
Explore specialized products. There are photocopiers products on the market that automatically erase an image from the hard drive, as opposed to storing it.

In addition to these specific precautions, your company can also explore more general practices to improve its overall security that include:

Document all information security risks specific to your organization - consider both paper-based and electronic information sources. Of particular importance is data generation, storage, transfer and the information destruction process.
Develop/implement policies that control employee access to confidential information.
Train your employees in best practices in secure information management and destruction.
Destroy all confidential information - in electronic and paper form – after legal retention periods are met.
Explore outsourcing information destruction to reputable, professional providers. A high-quality provider can ensure the total security of the information destruction process, and can provide documentation to certify that the chain of custody has been maintained and the work has been completed.

With these tips in mind, you’ll be on your way towards creating a company culture that values and emphasizes the importance of respecting an individual’s privacy. Additionally, by being aware of specific risks such as a photocopier’s hard drive, you can then take proactive steps to incorporate such risks into your comprehensive security policy – creating a better and more secure workplace for employees and customers.

Gaining a Better Understanding of FACTA

Fri, 06 May 2011 08:34:31 GMT

The Fair and Accurate Credit Transaction Act, 2003 (FACTA) was enacted in the United States in 2003, with specific rules pertaining to document destruction becoming enforceable in 2005. Even though the legislation has been in place for many years, how much do you really know about FACTA and what constitutes compliance?

What is FACTA?

FACTA added new sections to the existing Fair Credit Reporting Act. FACTA is intended to protect consumers from the crime of identity theft by providing consumers, companies, consumer reporting agencies and regulators with new tools to expand consumer access to credit and enhance the accuracy of consumer financial information.

Who is impacted?

FACTA applies to any person or company that “maintains or otherwise possesses consumer information or any compilation of consumer information, derived from consumer reports for a business purpose.” Examples of such companies include:

Consumer reporting agencies
Resellers of consumer reports
Lenders
Insurers
Employers
Landlords
Government agencies
Mortgage brokers
Automobile dealers
Waste disposal companies

How does compliance affect document shredding?

With the intention of reducing the risk of identity theft, FACTA includes a specific rule regarding the paper disposal of consumer report information and records. Effective June 1, 2005, FACTA states:

“Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.”

The rule goes on to provide examples of how a consumer record, whether in paper, electronic or other form, can be disposed of in a compliant manner. One such example is regularly scheduled document shredding and/or a contract with a third party who can properly dispose of consumer records.

What are the penalties associated with FACTA?

FACTA outlines the penalties for non-compliance in Section 616:

“616. Civil liability for willful noncompliance – (a) In general. Any person who willfully fails to comply with any requirement imposed under this subchapter with respect to any consumer is liable to that consumer in an amount equal to the sum of (1) (A) any actual damages sustained by the consumer as a result of the failure or damages of not less than $100 and not more than $1,000; or (B) in the case of liability of a natural person for obtaining a consumer report under false pretenses or knowingly without a permissible purpose, actual damages sustained by the consumer as a result of the failure or $1,000, whichever is greater; (2) such amount of punitive damages as the court may allow; and (3) in the case of any successful action to enforce any liability under this section, the costs of the action together with reasonable attorney’s fees as determined by the court.”

As you can see, the punishment for organizations that have intentionally violated the provisions of FACTA can be quite severe, and include reimbursement of the actual damages sustained to each individual as a result of the violation, plus additional court determined punitive damages and attorney fees.

Steps you can take as a business

One step you can take to improve FACTA compliance is to shred any documents containing consumer information. FACTA outlines that document destruction is considered an appropriate safeguard to protect confidential information from intentional or unintentional disclosure.

To ensure your information remains secure you should choose a document shredding provider that can help you assess your document handling procedures and implement secure destruction practices.

Steps You Can Take to Lower the Risk of Identity Theft

Wed, 27 Apr 2011 14:54:47 GMT

The crime of identity theft, unfortunately, is still very widespread according to the recently released Annual Report on Consumer Fraud (view report).

Over 1.3 million complaints were received by the CSN (Consumer Sentinel Network) during 2010: 54% fraud complaints; 19% identity theft complaints; and 27% other types of complaints.
Identity theft was the number one complaint category in the CSN for calendar year 2010 with 19% of the overall complaints.
A total of 725,087 CSN 2010 complaints were fraud-related. Consumers reported paying over $1.7 billion in those fraud complaints; the median amount paid was $594.

Identity theft topped the list as the number one fraud complaint for the 11^th consecutive year with more than 250,000 complaints. Based on these numbers and trends, it is clear that individuals and businesses still need to take more precautionary measures to prevent this crime. Yet, criminals continue to find new ways to exploit weaknesses and develop scams, so keeping up with security precautions can feel overwhelming. With that in mind, we’ve compiled a list of suggestions that you can begin using today to ensure you are protecting yourself and your business from fraud:

Review credit reports. This commonsense step is critical because the sooner you suspect your personal credit or business has become compromised, the quicker you can swing into action by notifying credit agencies, banks, etc.
Consider freezing your credit report. Both individuals and businesses are commonly victimized by criminals stealing credit card offers, opening accounts and racking up fraudulent charges on them. While freezing your credit account costs about $30, it prevents anyone from opening new accounts. *The downside is that this freeze must be lifted every time you apply for credit.
Secure your computers and wireless connections. Protect your computer from viruses and attacks by using a security programs and scheduling routine scans. It isn’t enough to simply have the security software installed; it also needs to be updated regularly as new threats occur. If your home or business uses wireless internet, the network needs to be secured and password protected.
Get an employer identification number (EIN). An EIN is a nine-digit number assigned to a business by the IRS, and by obtaining one, your business can use this number on paperwork as opposed to your personal social security number. By limiting the use of your social security number, you’re reducing the chances of it being seen and stolen.
Shred all documents that contain sensitive information. While this tip is the law for business owners, it truly cannot be overemphasized when considering personal and professional security. From credit solicitations to billing receipts and more, your mailbox, recycling bin and garbage are attractive targets for thieves. Consider using a reputable third-party shredding provider to ensure all documents are destroyed securely and thoroughly.
Extend your thinking beyond financial identity theft. While most of us think about identity theft in terms of fraudulent purchases, thieves also target medical and criminal record identity theft. These crimes involve people making medical charges under a false identity or even committing crimes using someone else’s name. For individuals, these crimes underscore the importance of monitoring all of your personal information. For businesses, it is an important reminder that thieves are looking for more than just social security numbers and credit card information.

These tips and action items provide practical ways to reduce your personal and professional vulnerability to the crime of identity theft.

To learn more about Shred-it’s document security assessments and destruction services, please contact us today.

Establishing a Shred-All Policy

Mon, 25 Apr 2011 10:20:59 GMT

Keeping your company’s information secure must be a top priority. With the associated risks of not doing so, your company could be prone to financial loss or reputational damage. In addition to implementing proactive online information technology polices, companies need to consider the importance of securing its hard-copy or paper documents. Not only does proper document security reduce the risk of a security breach, but it is also the law.

Yet, creating and implementing an information security policy that keeps pace with ever-changing scams and evolving legislation can be daunting. In an effort to simplify and improve security policies, some companies are instituting a “shred-all” document policy.

Simply put, adopting a “shred-all” policy means that a company decides that all of their business documents will be securely destroyed, as soon as they are no longer needed. Employees no longer have to decide which documents contain confidential or sensitive information and which do not. They simply dispose of all documents into locked consoles and know that their information will be securely shredded and recycled.

With this in mind, let’s examine the pros and cons of a shred-all policy:

Benefits:

More comprehensive. Leaving the decision of what constitutes a secure document up to employees introduces a subjective element – and potential risk. If an employee makes a poor judgment, a confidential document could wind up in the garbage or recycling bin, where it could become compromised.
Improved compliance. Legislation such as the Sarbanes-Oxley Act, USA Patriot Act or Canada’s PIPEDA all mandate certain requirements in regards to information privacy and carry expensive penalties for non-compliance. By implementing a secure shred-all policy, companies can quickly move toward fully-compliant policies.
Better protection internally. While company-specific documents may not be deemed overtly confidential in terms of the company’s privacy policy, they still may contain proprietary information, trade secrets, customer lists, etc. A shred-all policy eliminates this risk entirely by destroying all printed documents.
Environmentally friendly. By selecting a high-quality shredding provider that recycles all of the shredded materials, 100% of all discarded materials will be recycled as opposed to some materials getting thrown away as garbage. This environmentally responsible position can be promoted as a point of differentiation.

Cons:

Cost. By generating more materials that need shredding, there will be a corresponding increase in the cost of shredding services. This increase in price needs to be factored into the budget, although when one considers the potential costs of a security breach, the relative increase in shredding costs could be easily justified.
Execution. Implementing a shred-all policy requires a certain amount of preparation and planning. From the placement of secure consoles and collecting the documents to training employees on how the policy works, a shred-all policy must be implemented strategically.

With these considerations in mind, it may be that a shred-all policy makes sense as a way for your company to better secure its paper documents.

Call your Shred-it Sales Rep if you have any questions, or if you would like assistance with implementing a shred-all policy.

Shredding – A Green Business Best Practice

Tue, 19 Apr 2011 00:00:00 GMT

From saving money on electric bills to building employee morale by “doing the right thing,” there are many benefits to becoming involved in green initiatives in the way you do your business. You might even find a true “win-win” scenario – a business best practice that saves money and is also good for the environment.

Consider the example of document shredding services. According to the Lawrence Berkley Institute, the average office worker in the United States uses roughly 10,000 sheets of copy paper each year. When multiplied by a rough estimate of the workforce, that number translates to a staggering four million tons of copy paper used annually! One way to combat this wastefulness is to remind employees to only print documents that are absolutely necessary, or you can encourage your staff to print on both sides.

In addition to helping employees be more mindful of printing and producing less waste, another strategy businesses use is recycling. A company needs to think very carefully when choosing this action; After all, if the document contains confidential information, its contents are at great risk if the document remains easily accessible and intact. Recycling bins have long been a target of disgruntled employees, third-party services and recycling station attendants as easy ways to find and steal confidential information.

A smart alternative is to find a high-quality shredding service that securely destroys the materials, and then recycles them too! The benefits of recycling this shredded material are significant. Once the papers are completely and securely destroyed, they are baled in confetti form, and then recycled into everyday consumer items such as paper towels and paper plates.

Take the example of the information destruction company Shred-it. Shred-it has been committed to environmental responsibility since its inception in 1988. With the statistic of four million tons of waste in mind, they have worked to further quantify what recycling really means to the environment – and what it helps keep out of landfills. Shred-it has measured that, through its recycling efforts, every time two Shred-it secure consoles are filled with paper, one tree is saved.

By translating the recycling effort into actual trees saved, companies have a tangible number that can help them better understand their environmental impact and meet company sustainability goals. Shred-it even provides its customers a Certificate of Environmental Accomplishment each year, which notes how many trees they have saved through their secure shredding and recycling efforts. Companies can lessen their environmental footprint while knowing they are also taking smart steps to keep themselves secure – a winning scenario.

Learn more about Shred-it and their environmental impact

How Working from Home Can Increase Your Security Risk

Thu, 14 Apr 2011 15:36:36 GMT

We all work from home; the benefits of it make it quite appealing to many of us. At the same time however, there are risks associated with doing so. Statistics show that there is a continuing growth of telecommuting, or associates working outside of the office so it is important to be aware of these risks.

According to, “Telecommuting Trends and Stats in the 2009 Economy and Beyond” published by BrightHub.com, “The estimates for the number of telecommuting employment opportunities are continuing to rise, year after year. Gartner Dataquest reported in 2008 that 25% of workers telecommuted in 2007, and in their recent 2009 projections, they estimate that number to hit 27.5%.” It is expected that this number is even higher in 2011.

What’s driving these numbers? From an employer’s perspective, the benefits are numerous. In a report, “Wired Working as a Lifestyle” by the Telework Coalition, a company can save quite a bit of money per employee that works from home – an average of $20,000 per year. The study also found that employees are 22% more productive when working remotely. Finally, there is a direct correlation between decreased employee absenteeism in a work-from-home model, and employee turnover was lowered by a whopping 50%.

Employees benefit from telecommuting, as well. The lack of a commute and dress code certainly helps employees maximize their productive work hours without necessarily adding hours to the workday. It also improves employee satisfaction by granting a certain measure of autonomy, which helps achieve a better balance between work and personal life.

With all of these benefits, employers and employees may be very interested to adopt telecommuting. Yet, such a transition needs to be carefully planned for reasons that extend beyond the obvious questions of workflow, accountability and communication. A successful transition into a work-from-home model must also take into account a comprehensive security policy because telecommuting introduces new security risks such as:

Equipment. Although some companies provide laptops for employees working remotely, many do not. If a computer doesn’t have current anti-virus software, data encryption and firewalls, it may be vulnerable to an attack.

Wireless connections. Even the most secure computer hardware can be exposed if it is operating on an unsecured wireless connection. From improperly configured home networks to public coffee shops, laptops operating on an unsecure connection create an attractive target.

Weak/duplicate passwords. Most people know they should use unique passwords and mix both capitalized and lower-case letters with numbers. Yet, breaches continue to occur when usernames/passwords are hacked from a minimally-secured site, and then used to gain entry to more secure portals.

Improper document disposal. From sensitive corporate information to private customer and prospect lists, employees may need to print confidential information as part of their job duties. Most home offices are not properly equipped to destroy such paperwork securely.

While these risk factors may have the leadership team fearful of telecommuting, there are many commonsense and relatively low-tech ways to reduce the chances of such a security breach.

First, a company needs to create telecommuting security and privacy guidelines so employees have a clear understanding of what constitutes risky behavior and how to minimize such risks.
Additionally, a company should consider providing its employees with laptops so it can control the levels of security and encryption on each machine, plus mandate regular password changes.
Finally, a third-party document shredding company can provide secure locked containers for confidential paperwork disposal and schedule regular pick-ups to destroy such materials.

By being aware of the risk factors and then taking preventative measures, employers can feel confident about exploring a work-from-home model while their associates can reap the benefits of a more flexible working relationship.

Fraud Prevention Month – Assess Your Preparedness

Thu, 31 Mar 2011 15:34:18 GMT

March is Fraud Prevention Month, and it marks the perfect time to analyze how well your company is protecting itself from security risks and breaches that could potentially lead to fraud. Beginning in 2004, the Fraud Prevention Forum has organized and promoted Fraud Prevention Month, aimed at increasing awareness and education about the issue of fraud in Canada.

The latest statistics illustrate just why fraud prevention needs to be a top priority. According to a study by Javelin Research, identity theft is one of the fastest growing crimes in North America. The study found that in 2009, identity theft affected 11.2 million consumers, with a price tag of nearly $54 billion. This number marks a huge increase from 2008, where 9.9 million people were affected with a cost of about $48 billion.

What’s more, a 2010 TD Canada Trust survey showed that 40% of Canadians surveyed say they are 'very' or 'extremely' concerned about becoming a victim of fraud in the future, and 33% of Canadians feel they have been a victim of debit card or credit card fraud in the past. Yet, Shred-it’s own research showed that 6 out of 10 companies are failing to comply with basic security practices!

With these sobering numbers in mind, what should you be doing to protect your company from fraud? We’ve classified our prevention approach into four categories:

Security policies and training. People, whether negligent or intentional, continue to represent the greatest risk when considering workplace security:
- Develop formal information security policies and train employees on how to follow them.
- Limit access to confidential documents and the number of people who handle them.
- Show employees that security is a company-wide initiative by management leading by example.

Information security strategy. With risks and threats continually evolving, it is important to have security best practices in place that:
- Call for regularly-scheduled, periodic security audits.
- Identify any loopholes or vulnerabilities with the information lifecycle, particularly data storage, transfers and destruction.
- Pay attention to unique security risks within your business model, examining both electronic and paper-based information.
- Emphasize building vendor relationships with companies that understand your risks plus best practices and legal compliance.

Electronic information sources. Websites, networks, emails, software and hardware all present opportunities for security lapses:
- Install and update firewalls, anti-virus software and network protection on all computers.
- Ensure employees use strong passwords that are changed regularly.
- Generate individual user accounts for each employeeso each employee can be held accountable for his or her actions on various networks and activity within sensitive files.

Paper-based information sources. Printed documents containing confidential information pose a tremendous security risk if they are mishandled, lost or stolen so it is important to:
- Store documents that are no longer needed in secure, locked consoles until they are destroyed.
- Implement a “shred-all” policy so that your employees do nothavetodecide which documents contain sensitive information. Instead, all documents are securely destroyed on a regular schedule.
- Examine working with a reputable document shredding provider if sourcing document destruction in -house is not a viable option.

If these guidelines and tips have made you curious about how your business currently stacks up in terms of its overall information security, please take Shred-it’s online self-assessment survey. With a better idea of how to examine your business for security loopholes, you’re now on your way to identifying the gaps and taking steps to correct them. Additionally, enlisting the help of a security professional such as Shred-it can be a great way to elevate your company’s security – and contribute to making Fraud Prevention a reality.

Best Practices – Improving Document Security

Wed, 23 Mar 2011 14:52:43 GMT

Understanding how to keep your company secure can be a moving target. From cyber-criminals hacking high-profile websites to complex identity theft scams, the media seems to report a new attack almost every day.

Unfortunately, recent statistics substantiate this thought. Javelin Strategies, a prominent research firm, reports that incidences of identity theft increased by 11% from 2008 to 2009, and affected the lives of 11 million Americans. Considering that this crime has been on rise for multiple years, if these numbers prove to be a pattern, one in every 20 Americans risks being a victim in 2011. That’s a scary thought.

With these statistics in mind, it is important that individuals and businesses take steps to protect their information – and themselves – from such an incident. While high-tech crimes garner much of the media attention, low-tech crimes such as stealing someone’s wallet, checkbook or trash cause almost half of all crimes.

It follows that understanding and implementing secure document handling procedures must be a priority. Many business owners are asking, “What constitutes document security best practices?”

Examine the entire document lifecycle. Before you can identify any security vulnerabilities, you must first understand your company’s document workflow and lifecycle. From creating the documents to storing and transferring them, many documents touch multiple departments and personnel. The more touch-points, the greater the risks.
Develop security policies. By creating an internal document handling process, employees will have a clear understanding of what constitutes a sensitive document, how to handle them properly and what to do in the event of a potential breach or suspicious behavior. Additionally, it is important to research national and local legislation to ensure your new policy is 100% compliant with rules and regulations.
Limit access. The more people who have access to sensitive documents, the greater the risk of a theft or breach. Restrict employee access to confidential data. This should be done based on specific business needs or specific categories of personnel. From limiting access to the record-keeping room to locking filing cabinets, there are many ways to accomplish this task.
Perform training. Ongoing updates to privacy legislation and personnel changes mean that it’s not enough to simply create a privacy policy – it also must be adapted and reinforced from the top down. It makes sense to implement quarterly training or retraining sessions so the privacy policy is easily understood and followed.
Destroy documents securely. Confidential documents must be destroyed once they are no longer needed or the legal retention period is met. Secure destruction means they are shredded in such a way that the document cannot be reconstructed, and the intact document is not exposed to risk prior to shredding. This can be accomplished with a regularly-scheduled on site shredding service.
Build a culture of respect. With all of the potential hazards for security breaches and identity theft, a company can only minimize the risks it faces, as opposed to eliminating them entirely. Therefore, the company needs to create a culture that values and respects confidentiality and privacy. Employees will be better educated and motivated to adhere to the privacy policy and treat document security as an important company initiative.

With so many moving parts, it is clear that building a comprehensive document security policy requires commitment, resources and an internal champion. In order to help you begin, it may make sense to consult an expert in document handling best practices or secure shredding solutions. Once you’ve developed a plan and an implementation strategy, you’ll have taken an important step in protecting your company and customers’ privacy.

Beware: Not all shredding services offer the same level of security

Fri, 18 Mar 2011 13:44:19 GMT

With plenty of document shredding companies in the marketplace, businesses have a lot of factors to consider when selecting a provider. One such choice involves whether the company uses curb-to-hopper totes as part of their services.

Basically, curb-to-hopper totes are large plastic containers resembling garbage bins, with a slot at the top for collecting documents that require shredding. Once wheeled out to the shredding vehicle, a pneumatic arm performs the process of lifting/emptying the tote into the truck. The documents are then shredded in the truck.

While conceptually this curb-to-hopper process might seem foolproof, it introduces elements of risk that customers need to consider:

1. Security of the tote. The very concept and design of the container exposes documents to risk because it is built to automatically swing open to make removing the documents easy. That same easy-access design, however, makes it equally easy for a thief to break into and remove confidential documents before they are shredded.

2. Mobility of the tote. The curb-to-hopper totes are built to be easily wheeled from the customers’ premises, so they can then be emptied into the truck. This mobility feature introduces another possibility of breach, if it is rolled off of the place of business – placing all of its intact contents at great risk. In addition, your cleaning service might easily mistake it for a standard garbage bin and misplace or mishandle the confidential contents inside.

3. Static cling. While this risk might sound like it is more connected to a fashion show than document shredding, it actually poses a legitimate threat. Papers can easily stick to the sides of the totes due to the lifting/emptying by the pneumatic swing-arm. Any papers that stick to the inside of the console are intact and pose the risk of becoming compromised. Usually, a provider will wheel in new totes first, and then remove the ones in your place of business. This means, that if information remains in the tote, it will most likely be wheeled into the next business they service.

4. Unattended totes. The practice of wheeling several totes out to the truck for shredding introduces risk because only one tote can be lifted and emptied at any given time. This fact means that if multiple totes are removed from the premises at the same time, totes are left sitting unattended – and their contents at risk. This concern isn’t limited to an individual with nefarious intentions. Wind or rain can blow documents out of the totes where they now present the risk of a breach.

These four considerations illustrate how even the most seemingly minor details can increase the level of risk – and raise the odds of a possible security breach. One alternative to the curb-to-hopper process is a company that offers on site shredding, but uses secure hard-construction consoles to collect the documents. Consoles that are locked, not easily moved and equipped with static-free nylon bags. Your service provider should ensure the security of your confidential information by performing the shredding inside a locked security screen. This precaution ensures documents are never left unattended or exposed to weather elements.

As we mentioned at the beginning of the post, your research of different shredding solutions will uncover many options and price points. While these differences may oftentimes seem small or insignificant, it is always important to consider how details or loopholes can pose serious potential risks to your document security, and the health of your entire organization.

To learn more, download our free Guide to Secure Document Destruction Processes.

Five reasons why on site shredding is the most secure

Wed, 09 Mar 2011 08:36:13 GMT

When you are researching and shopping for document shredding solutions, you’ll find many different service options and pricing models. One key differentiator is whether the company offers on site or off site shredding. While a clever sales pitch or a slick presentation may make off site shredding seem like a winning solution, there are many, very real security concerns you should consider before choosing off site shredding:

Concern: Document storage prior to destruction.
Threat: If confidential documents are stored in open bins or unsecured containers prior to collection, the information is exposed to tremendous risk. After all, anyone who walks by the bins could potentially take whatever sensitive documents piques his/her interest.
On site solution: Top-notch providers use secure consoles that prevent documents from being removed once they are deposited. Also, look for non-moving consoles to eliminate the possibility of someone stealing the entire unit.

Concern: Facility compliance.
Threat: The very model of off site shredding means that your documents are transported to a different location to be shredded. You’ll likely not have access to the facility where the documents are destroyed and if the facility your shredding vendor uses doesn’t meet compliance regulations, you’d be none the wiser.
On site solution: Destroying documents on site involves the use of a specially-equipped, secure shredding truck. The shredder is in the back of the truck and destruction takes place right away. Many providers even offer their clients the ability to watch the shredding process on site for added peace of mind.

Concern: Transportation.
Threat:The very act of transporting non-shredded documents to the shredding facility introduces an element of uncertainty and risk. If the transportation vehicle experiences mechanical failure or become involved in an accident, its contents may become compromised. In the event such a problem occurs, your document security can become compromised, too.
On site solution: There is no transportation of un-shredded materials involved in on site shredding because the documents are loaded into the on site truck and securely destroyed.

Concern: Contact with materials.
Threat: Each person who is in contact with intact, confidential documents poses a potential security threat or opportunity for breach. From the collection agents and drivers to the loading dock handlers and document sorters, you might be amazed and unnerved by how many times your documents are exposed to different people…and risk.
On site solution:With the documents moving only from secure consoles to the on site truck for immediate shredding, the risk of excess handlers and personnel is removed.

Concern: Turnaround time to destruction.
Threat: As stated in the above point, each person who potentially has access to your confidential documents introduces another element of risk. With that thought in mind, it is not uncommon for off site document shredding providers to leave documents unattended on loading docks, while in the queue to be destroyed. This action introduces yet another opportunity for a security breach.
On site solution: With the actual shredding occurring on site, documents are never left unattended from the time they arrive at the truck to the moment they are destroyed.

As you can see from a brief examination of these five concerns, off site shredding introduces new, and potentially risky, variables into the document shredding equation. With increasingly rigorous compliance laws and your company’s reputation at stake, it is important to consider whether it’s wise to introduce any uncertainty into your document shredding solution.

To learn more about on site shredding services, please click here.

Understanding the Cost of Identity Theft

Fri, 25 Feb 2011 09:02:09 GMT

It’s a fact – the crime of identity theft is growing. According to Javelin Research, their 2010 Identity Fraud Survey Report found that Identity fraud has risen to 11.1 million US victims, which is up 12% from 9.9 million in 2008.With this staggering statistic in mind, protecting your identity must be a top priority.

Simple steps to increase your online security include: keeping operating systems updated, configuring passwords to protect wireless networks and using unique passwords for secure sites (and ensuring these passwords include numbers or capitalized letters). Yet, while online theft might garner the bulk of the media attention, low-tech forms of identity theft such as stolen documents and wallets account for 43% all crimes!

One smart precaution is to thoroughly shred all documents that contain sensitive information. From medical records to credit card solicitations, you’d be amazed at how such seemingly harmless material can be the source ofa full-blown identity theft. Businesses aren’t immune from such crimes either. They should take precautions to safeguard client and employee information by implementing a privacy policy that includes destroying any sensitive information securely. An outsourced shredding company can provide such services and provide both personal and professional peace of mind.

To learn more about just how costly identity theft is, please view the infographic hosted on Mashable and created by Sam Franada of Lines & Moodswings for KGBPeople (based on data from Wikipedia, the I.D. Theft Center and other sources).

To learn more about how you can protect yourself and your business from identity theft, view information on Shred-it'sRegularly Scheduled Service and Community Shred-it Events.

Protecting Employee Information – Leading by Example

Wed, 26 Jan 2011 15:55:46 GMT

Keeping employees interested and engaged in their work is a key function of management and human resources. After all, happy employees are not only more productive but they also have increased rates of retention. This higher retention rate contributes to a host of other positive effects such as staff being more knowledgeable, skillful and loyal to a company.

In a challenging economy, an increase in pay may not be a viable option for management to express their appreciation. Companies need to think “outside the box” for ways to bolster employee morale and motivation. According to the article, “Ten Tips on Improving Employee Motivation” published on AllBusiness.com, one way to achieve such a result is to, “Create a positive environment. Promote an office atmosphere that makes all employees feel worthwhile and important. Don’t play favorites with your staff. Keep office doors open and let folks know they can always approach you with questions or concerns. A happy office is a productive office.”

Another way you can create this positive environment and show employees that you truly care is by proactively promoting and adhering to a company-wide privacy policy. By implementing this type of policy you show that you care about your employees, and their personal security. As an HR professional, you do not want to be responsible for multiple cases of identity theft with your employee’s information. From background checks and direct deposit banking information to paystubs and health information, your department holds a wealth of sensitive employee information. This information needs to be treated with the same safe handling procedures as the ones used company-wide. You want to prevent any breaches, as you do not want to cause your employees the stress and hardship of having to reclaim their identity because your department did not have a strict privacy policy in place.

There are several ways you can achieve this. These compliance and employee-first practices include:

Focusing on ongoing training and education. Train employees on how to operate technology and systems in accordance with all security policies. Hold regular training sessions for each department to review best practices for internet security, document handling and more. Also, educate employees on the latest scams thieves use online, via e-mail, and over the phone to try and extract confidential information.
Limiting access. Conduct periodic audits of employee logins and credentials to ensure their permission levels are aligned with their job responsibilities. It is a security best practice to limit access as much as possible, within reason.
Destroying confidential paperwork. Stealing confidential paperwork remains a popular way to commit such a breach, even though online phishing scams and sophisticated crime rings garner much of the media’s attention. Promote the company-wide process for the handling of sensitive paperwork such as billing transaction receipts, credit records, employee paperwork, etc. Considering the vast amount of paperwork produced and the steps associated with secure document destruction, it may make sense to turn to an outside, accredited document destruction provider.
Creating security awareness campaigns. Many security lapses are simply a result of carelessness. Make sure document security is top-of-mind by regularly promoting it via internal communications, department meetings, etc. You may want to implement a clean-desk policy within your workplace. A clean desk-policy asks that ALL employees shred ALL paper regardless of what information is on it. This ensures that your employees are not making the decision as to what information is important enough to shred and what is not. If all paper is securely disposed of, it is much more difficult for a breach to occur.
Nurturing a trust-based culture. This point circles back to theme of the entire article – when you show how much you and your company cares, you’re helping to build an atmosphere of trust and loyalty. In turn, employees are invested in “doing the right thing.” As such a culture is developed, employees will be happier, more productive and more likely to take pride in what they do.

When these steps are followed, employees will see that human resources is leading the charge in keeping their information safe – and the company privacy policy is more than a piece of paper with rules and procedures. As it becomes clear that protecting everyone’s privacy, from customers to employees, is a high priority, you’ll be demonstrating that your company values them as assets and individuals.

To learn more, read the Human Resources Guide to a Total Security Culture

Make Your Business More Profitable with Document Shredding

Wed, 19 Jan 2011 15:19:39 GMT

As a small to medium sized business owner or executive, you’re vigilant about watching your company’s expenses. After all, in order for a small business to grow and succeed, it needs to achieve a balance between reinvesting profits to meet growth benchmarks while maintaining certain cash reserves. That challenge can create a mindset of constantly economizing and trying to reduce outside expenditures. Yet, some third party expenses can be so beneficial to the overall health of your company that they bear consideration. In other words, the return on investment is great enough to make the expense worthwhile.

One area where the profitability or ROI of using a third party resource is worth such consideration is document destruction and shredding. Compliance legislation mandates that even the smallest businesses need to adhere to certain practices in terms of record-keeping and the destruction of confidential personal information. With that in mind, ask yourself, “How is my business handling the destruction of such information?”

One common answer is to handle document shredding in-house. At first glance, that solution certainly seems to be the easiest. You can simply station shredders at certain location points throughout the office and instruct personnel to shred confidential information. Is it really that easy though?

Consider that employees must first be trained on what constitutes confidential information and how records must be treated. For example, some records must be held a certain length of time in order to maintain compliance. Additionally, legislation dictates that once records are no longer needed, they also must be destroyed within a certain period of time. Outlining these processes and procedures takes time and resources, plus because legislation continues to evolve, someone needs to monitor compliance information to stay abreast of any changes.

In addition to the time it takes to develop a privacy policy, there is also the burden of actually implementing it. Taken in isolation, shredding one document is a relatively quick task – perhaps two minutes. Yet, if you consider that amount of time (two minutes) multiplied by 10 employees, the loss of time is 20 minutes. Multiply that number by five days, then four weeks, and ultimately a year, you’re looking at a significant amount of time – 83 hours annually. That’s a considerable amount of time lost!

Just as important as the amount of time lost is the burden you’re placing on personnel. Unless you have a designated compliance or privacy analyst, the function of developing and maintaining the privacy policy falls to someone who likely doesn’t specialize in such duties. This lack of specialization introduces a potential risk for errors, as well as well as a huge distraction. In the worst case scenario, the person is disinterested in the job duties and performs them poorly.

Finally, it’s important to think of the risks associated with having various personnel come into contact with confidential documents. Let’s be honest – sometimes the confidential information will be about certain aspects of your company and you don’t want all employees to have access to financial records, employee information, etc. Just as important, while most employees are trustworthy, it only takes one person with bad intentions to create a large, expensive security breach. Even if the employees are 100% trustworthy, oftentimes simple negligence such as leaving documents in a recycling bin or unopened mail can result in a leak of sensitive information.

With these considerations in mind, it makes sense that outsourcing your document shredding solutions could result in a return on investment that makes the expense more than justifiable - it makes using a document shredding solution a smart financial investment for your business.

To learn more, download our free Small Business Guide to Document Security.

Identity Theft: The Customer Loyalty Killer

Wed, 19 Jan 2011 15:15:42 GMT

When you think of the core focus of every company, it is almost always centered on growing top-line revenue. Revenue growth can be achieved by winning new customers and accounts – and it can also be achieved by incrementally growing current accounts. In addition to growing revenue, companies must also focus on keeping customer attrition rates as low as possible – in other words, growing customer loyalty.

We hear the term constantly throughout our workday, but what exactly defines customer loyalty? Ellen Goodwright, author of the Customer Service Basics blog, states, “Customer loyalty is when an organization receives the ultimate reward for the way it interacts with its customers. Loyal customers buy more, buy longer and tell more people - that's true customer loyalty.”

With this definition in mind, thinking about the way your company interacts with its customers must be a top priority in order to sustain growth. Seemingly mundane tasks such as answering phone calls and resolving billing issues to more high-level activities including on-time delivery of products/services and contract negotiations can play an important role in the way the customer perceives your business. Just as important as the discrete factors are the intangibles such as reputation and trustworthiness. People want to work with companies that they trust, and few things have a more negative impact on trust than news or rumors of a security breach.

From credit applications to billing receipts, chances are your company has access to sensitive, confidential customer information, and keeping it secure is critical. More than just a moral obligation or a sense of “doing the right thing,” leaking confidential information that could lead to identity theft is a business killer. Consider these facts from an annual study conducted by the Ponemon Institute in 2008:

Breaches are costly events for an organization; the average total cost per reporting company was more than $6.6 million per breach (up from $6.3 million in 2007 and $4.7 million in 2006) and ranged from $613,000 to almost $32 million.
Cost of lost business continues to carry the highest impact: The cost of lost business continued to be the most costly effect of a breach averaging $4.59 million or $139 per record compromised. Lost business now accounts for 69 percent of data breach costs, up from 65 percent in 2007, compared to 54 percent in the 2006 study.

What’s more, according to CIO magazine, after a breach, 20% of customers sever all ties with the company, 40% say they consider doing the same, and another 5% will be hiring lawyers. Could your business survive if it lost one out of every five customers?

With these sobering statistics in mind, savvy business owners recognize that just one security breach very well could be the demise of an entire business. Therefore, they are taking preventative measures to avoid such an incidence. A simple step such as limiting personnel’s access to confidential information is one way to reduce the risk of such information getting into the wrong hands and potentially becoming compromised.

Another smart preventative measure is to completely destroy all records that contain confidential information as soon as they are no longer needed for record-keeping or compliance purposes. After all, a lesser amount of confidential paperwork lying around the workplace translates to fewer opportunities for a breach. Instead of purchasing a shredder and hoping it is used diligently, some companies choose to partner with an outsourced document shredding solution. In this partnership, the onus of collecting and destroying documents falls to the outsourced provider. Using this model, your customer, and their loyalty, are as protected as your company.

To learn more, download our free Customer Service Guide to Secure Document Destruction and Reputation Management.

Are you really getting a Return & Reducing Risk with a $99 Shredder?

Wed, 12 Jan 2011 16:58:49 GMT

Do you know just how expensive a security breach can be to your company? According to research conducted by the Ponemon Institute in 2008, that figure is estimated to be $202 per record compromised. Even more daunting, the cost of lost business continued to be the most expensive impact of a breach, averaging $4.59 million or $139 per record compromised. Lost business now accounts for an astonishing 69% of data breach costs, up from 65% in 2007.

With a clearer picture of how expensive a security breach can be, business must do everything possible to prevent such an occurrence. One such way many businesses are improving their overall security is to dispose of all sensitive, confidential paperwork by shredding it.

Shredding paperwork properly, however, is considerably more complicated than going to the local office supply store, picking up a $99 shredder and placing it in the copy room. While many may not think of it as a major issue or expense, this decision of self shredding can greatly impact the organization. There are many considerations and costs you should factor in when choosing to destroy documents in-house:

Fixed Costs

Cost of document shredders, including maintenance, repair and support contracts.
Cost of associated supplies such as wastebasket liners and bins.
Cost of physical space dedicated to shredding equipment and collection bins

Labor

Total cost of staff strictly dedicated to developing document handling protocol and policies
Total cost of staff dedicated to staying abreast of any changes to related legislation.
Cost of total average staff hours used to shred the documents.
Cost of total average staff hours spent in training on document handling best practices and policies.

After weighing these factors and calculating both fixed and labor costs, it may make financial sense to consider an outsourced document shredding solution. A reputable shredding company will do more than securely destroy confidential documents – they can provide certificates of destruction as well as train staff in best practices and compliant document handling. Additionally, some shredding providers offer:

Onsite shredding so the documents aren’t exposed to the risks associated with leaving the property and transportation
Options such as regularly-scheduled service, one-time service and non-paper destruction.
Flexible service frequency and storage console options.
Various levels of destruction technology to meet the needs to different document classifications.
Expertise in establishing an auditable document destruction system that is easy to implement and use.

These options help an outsourced document shredding solution fit seamlessly into the fabric of your office, while providing secure document destruction. Additionally, the burden of understanding what constitutes secure and compliant document shredding doesn’t rest on you or your employees – you now have an expert resource to guide you.

After carefully considering the importance of protecting your customers, employees and your business from security breaches and possible of identity theft, outsourced shredding solutions may present itself as one of the most cost-effective ways to raise your business’ level of security. Now, unburdened with the challenges of document security, you and your employees can focus on what makes the business successful and prosperous.

To learn more, download our guide to Secure Document Processes Critical to Business Success.

Healthcare Regulatory Compliance: Reduce your Risk

Wed, 12 Jan 2011 16:46:14 GMT

As a healthcare professional, you know that complying with government regulations is essential to operating a successful practice. In addition to fulfilling the moral obligation of protecting patient information, operating a compliant practice is the law. In the US, HIPAA legislation has been continually evolving to better protect patients’ information, yet some of the changes can be difficult to understand, and make it even harder to maintain compliance.

Before we examine the legislation itself, let’s consider the importance of keeping protected health information (PHI) secure. PHI contains confidential patient information that can be potentially used to reconstruct, and subsequently steal, a person’s identity. According to the article, “Patient Billed for Phony Liposuction as Medical ID Theft RisesMedical,” published on March 23, 2010 in Businessweek, “Medical identity theft is about 2.5 times more costly than other types of ID fraud, said James Van Dyke, president of Javelin, in part because criminals use stolen health data an average of four times longer than other identity crimes before the theft is caught. The average fraud involving health information was $12,100 compared with $4,841 for all identity crimes last year and consumers spent an average of $2,228 to resolve it, or six times more than other identity fraud, according to Javelin.”

With these statistics and costs in mind, it is easy to understand the importance of protecting PHI and that is the intent of recent changes to HIPAA legislation such as the HITECH Act. Over the last calendar year, these progressive “milestones” have become enforceable, and with them, changes to regulatory compliance that include increasing the penalties for divulging protected health information (PHI).

In regards to the first point, protecting confidential patient information has long been a part of HIPAA legislation. Under the HITECH Act, however, the penalties and punishment for releasing such information have been raised. Being aware of how patient health information is being handled and destroyed is critical. Additionally, a practice must understand what exactly constitutes a breach because failure to provide notification following a breach can result in civil and even criminal penalties. To avoid heavy fines or even jail time, the following gives a quick overview of the consequences of HIPAA violations.

Civil Penalties

When a person unknowingly divulges patient information, it constitutes a civil penalty of HIPAA violation. This type of violation has differing levels of severity with the situation and the time period the person had to correct the situation determining the range of the fine. The least severe violation has a minimum penalty of $100 per violation, with a maximum $25,000 fine for repeat violations annually. If the HIPAA violation exceeds the $100 fine, the Covered Entity is also required to report it to local news agencies. The most severe violation occurs when a person unknowingly divulges patient information due to willful neglect and does not try to correct the situation. The fine for this type of violation is $50,000, with an annual maximum of $1.5 million.

Criminal Penalties

For a HIPAA violation to be deemed criminal, the person who committed the violation must have done so willingly, knowing the implications of divulging the patient information. Structured similarly to civil penalties, there are different levels of severity for criminal violations, with the minimum penalty being $50,000 and up to one year in jail. Violations committed under false pretenses require a penalty of $100,000 and up to five years in prison. The most severe penalty is enforced in cases where the intent was to sell, transfer or use patient information for commercial advantage, personal gain, or malicious harm. This type of violation is punishable by a fine of up to $250,000 and up to 10 years of jail time.

With the severity and punitive structure of such violations, it makes sense to consider steps your practice can take to avoid the possibility of such breaches. One logical option is to control and limit the amount of paperwork containing confidential information or PHI. By reducing the volume of information, you’ll be lowering the risk of such information getting lost or into the wrong hands. A reputable document shredding solution can do just that – instead of sensitive information being stored in an unsecure records room or filing area, it can be thoroughly and securely destroyed. Not only does it protect patients but also it will give you the peace of mind that you’re operating a compliant medical practice.

To learn more, view our free Preventing Medical Identity Theft Guide

Employee Efficiency: The Hidden Cost of In House Shredding

Wed, 05 Jan 2011 14:58:26 GMT

When you think of your company’s monthly expenditures, the cost of personnel likely tops the list. From the actual wages earned and medical benefits to paid time off and sick leave, each employee represents a net expense, regardless of how well he/she performs. As smart executives and leadership know, it is crucial to ensure your employees are as productive as possible in order to maximize the return on their labor expense.

According to an article, "Hardly Working – A Look into Business at the Workplace," published November 30, 2010 on OnlineMBA.com, this loss of productivity is staggering. On average, three hours of the traditional eight hour work day are wasted due to non-productivity – and this number does not include breaks and lunch. Of course, this wasted time equals wasted money with over $750 billion dollars exhausted annually by employers who are paying employees for non-productive time. Web surfing was listed as the top time-wasting culprit and socializing with co-workers ranked second. Consider this statistic: 77% of workers who have a Facebook account use it at work! It is also estimated that Fantasy Football costs employers $10.5 billion in lost productivity.

As a savvy business owner, you’re probably already undertaking measures to boost employee productivity. Simple solutions such as: maintaining strong employee morale, encouraging knowledge-share and training sessions, keeping work areas tidy, communicating schedules/availability clearly, etc. can help employees work diligently. But there may be one time-waster that your business is missing entirely – that can cost double-digits in terms of total productivity.

The problem is document shredding.

At first, it may sound impossible. After all, how many minutes does it really take to shred confidential meeting notes, a credit application or an employment verification request? As you read on, the answer may surprise you.

Before we can examine the actual numbers, it is important to establish some baseline assumptions and associated mathematics.

How many people do you employ? We’ll assume 20 for our purposes.
How many people in your office need to perform shredding on a daily basis? A reasonable estimate would be that about half, or 10 people shred documents daily.
How long does it take to shred the document? Remember to factor in the time it takes to get to the shredder, remove paper clips and staples, feed the document, etc. We’ll assume 3 minutes/day in this example.

With these numbers, we can now calculate how this relatively small number of minutes (3) increases exponentially as you multiply 3 minutes x 10 employees for an average loss of: 30 minutes/day, 150/week, 600/month. 600 minutes translates to 10 lost hours of productivity per month! Let’s also assume that your employees are paid on average $15 an hour. If we multiply $15 by 10 hours, you are already spending approximately $150 a month on document shredding. It is also important to remember that the initial estimated numbers were conservative.

Lost employee productivity is not the only cost to your company. When utilizing an in house shredder, you need to factor in direct costs such as: shredding equipment and upkeep, bag costs, disposal costs, etc. If you’re maintaining multiple shredders, these numbers can add up in a hurry.

With this challenge in mind, it may make sense to consider a different approach to document shredding that keeps employee productivity high. One such option is to research outsourced document shredding providers. Not only will a reliable document shredding company provide all necessary equipment and collection bins, but also they will collect the materials in an unobtrusive manner that doesn’t disrupt the workflow of your office. You will most likely be paying less than your current $150 a month. You’ll also have the peace of mind of destroying documents safely and securely – and the added satisfaction of performing it in a manner that ensures employee productivity doesn’t suffer.

To learn more, read the Human Resources Guide to a Total Security Culture

Protecting Employees from Identity Theft and Fraud

Wed, 15 Dec 2010 16:17:50 GMT

By Michael Collins

The mechanics of identity theft and fraud are often associated with external sources but approximately 36 per cent of security breaches reported in 2009 originated within companies, according to a study conducted by Telus and the University of Toronto’s Rotman School of Management. The same study shows that unauthorized access to information by employees is up by 112 per cent and is the fastest-growing breach category.

While every organization is unique, typical risks include a lack of strategic security planning and comprehensive policies, particularly regulating insider access to sensitive information, as well as policy implementation issues. This creates an environment where confidential employee information may be easily mishandled, either through negligence or wrong-doing. This mishandled information is an easy target for identity theft fraudsters who may operate both inside and outside of your organization.

Security risks faced by HR professionals also include duplicate documents stored in different locations on the network, and unattended loose print documents. Unrestricted or easily obtainable access to employee records, both in electronic and paper form, is another major concern. Finally, a lack of consistency between HR and other departments when it comes to enforcing information security policies and procedures creates uncertainty and confusion that multiplies security risks.

Securing information

Following these guidelines will enable HR professionals to protect the security of employee information and eliminate the potential for identity theft and fraud.

First, conduct a security audit by asking yourself the following questions:

Are there formal policies in place governing the issues of information security in your organization and in your department?
Is access to employee records restricted to HR professionals and other key personnel?
Is this access strictly differentiated, based on the specific business needs of specific categories of personnel?
Do restricted and differentiated access policies apply to both paper-based and electronic employee files?
Do you monitor your office for printed employee-related documents?
Is paper waste in your department fully destroyed on a regular basis?

To build your security policy, use the following six steps:

List all potential risks that may threaten the security of your employee records.
Examine both paper-based and electronic-information sources; analyze every stage of your workflow and information cycle from data generation and storage to data transfer from location to location and document destruction.
Create comprehensive information-security policies ensuring your department is fully compliant with companywide policies and procedures, as well as national identity theft and privacy legislation.
Restrict access to employee records, based on specific business needs of specific categories of personnel. If your organization operates internationally and has centralized information management systems, consider establishing country-specific levels of access.
Build an organizational culture that values and respects the integrity of employee and other sensitive information.
Train your staff in secure document management and destruction; implement a shred-all policy, making sure all paper documents are securely destroyed on a regular basis.

Michael Collins is the regional manager at Shred-it Canada in the Greater Toronto Area.

To learn more, read the Human Resources Guide to a Total Security Culture

Document Shredding: On site versus Off site

Wed, 15 Dec 2010 15:18:46 GMT

You’ve already taken the first step to keep your business secure and protected from identity theft by understanding the importance of disposing of documents securely. Now, it’s time to research different document shredding solutions and choose the one that is the most secure. There are many different document shredding providers, offering a variety of services and price points. One differentiator to consider when choosing a document destruction solution is whether the provider offers on site or off site shredding.

On site shredding is a mobile operation where a specially outfitted truck comes to your place of business and the shredding occurs before they leave your premises. Off site shredding is when your documents are collected from your business and transported to a facility and shredded at a later time or date.

Which method you choose can be a difficult question to resolve. Depending on the source of information, you’ll hear a variety of opinions about the benefits and challenges of each. It makes sense to examine the pros and cons– and the questions you should ask in order to ensure your business is fully protected.

Off Site Shredding Companies

Benefits of Offsite Shredding

The shredded paper is typically mixed and compacted into bales for recycling. Some people feel the mixed shredding provides greater security and protection against documents being re-created.
You’ll receive a Certificate of Destruction, verifying the materials were completely destroyed

Cons of Offsite Shredding

More personnel is involved because the materials must be picked up and transported to the facility before any materials are shredded. It’s critical to verify that all people who have contact with your materials are prescreened.
Off site service providers often sort the documents prior to shredding in order to improve the recyclability of the paper, leaving your information unnecessarily exposed.
You don’t have physical access to the documents once they’ve left your office so there is no way to visually view and verify that your confidential documents have been shredded.
It is difficult to pinpoint how long sensitive information is left unattended or potentially unsecured in queue or a loading dock before it is shredded.
The actual transportation itself offers another element of uncertainty – does the provider have a redundancy plan in case the transportation vehicle breaks down or is involved in an accident?
There can be a long time between when it is collected and when the information is shredded, further delaying receipt of a certificate of destruction.

Given these points about offsite shredding, your other option is to work with a provider who destroys your materials on site.

On Site Shredding

Benefits of On site Shredding

Your materials are transported after they are destroyed. Any person who handles the shredded paper will not be able to read it.
All shredded paper is mixed together in the truck, making it virtually impossible to piece back together. With the materials being destroyed on site, there also is no risk associated with the transportation vehicle breaking down or losing the documents before they are destroyed.
The materials are securely handled on your premises, so you know exactly who had access to the materials before being destroyed.
Documents are not left unattended so they are not exposed to undo risk (example: loading dock)
You can witness the entire document destruction process AND immediately receive a Certificate of Destruction.

Cons of On site Shredding

It typically costs more than off site shredding , as you’re paying for the provider to come to your place of business and destroy the documents

On site shredding options provide greater security because the materials are handled by fewer people and destroyed immediately at your location. Without on site accountability, you can’t truly verify the process and be sure of what happens once the documents leave your office.

Questions to consider when choosing a shredding provider

Can the provider guarantee that not one piece of confidential information is left unshredded? Can you witness the shred?
Will the provider sign a Business Associate Agreement? A Business Associate Agreement is a contract between a person or company and its associates who will have access or use confidential information. It is most often seen in the context of working with medical companies and protected health information (PHI).
When shredded, where does the confidential information go? Landfill? Mill? Other?
Can you receive the Certificate of Destruction immediately?

A reputable and aboveboard provider should be able to answer these questions, plus offer customer references and best practices. With these considerations in mind, you’ll be well on your way to choosing a document shredding provider that not only fits your needs but also gives you 100% confidence that your customers are protected against identity theft.

Document Security - Do You Comply?

Wed, 01 Dec 2010 16:48:37 GMT

Every day, businesses of all sizes generate documents and paperwork containing sensitive information. From payment receipts and billing information to human resources and personnel information, companies need to produce and retain specific, and oftentimes, confidential paperwork in order to comply with US and Canadian business regulations.

While this paperwork is required to adhere to regulatory rules, producing the documents is only half of the compliance task. Destroying the records safely and securely is more than a moral or responsible action for a company to take – it’s also the law. In the last 10 years, Sarbanes-Oxley, the US Safe Harbor Program, Patriot Act and updates to HIPAA legislation have taken aim at better protecting individuals’ privacy. There is no doubt such changes offer beneficial protection for individuals, yet the sheer volume of paperwork, retention periods and safe document destruction can present difficult challenges for businesses.

It is important to recognize just how much paperwork and confidential information any business – large or small – generates on a daily, weekly and monthly basis. Customer lists, revenue statistics, RFP responses and even memos, can contain information about business activity that is deemed confidential and private. Additionally sales receipts, employee paperwork and customer credit screenings contain private information that could potentially lead to identity theft. Customers, partners and employees have the legal right to have this data protected.

If you consider how common the above examples are, it is easy to see how this information could be disposed of unknowingly and wind up in the dumpster – where it is readily available to anyone. Without a strategy to control it, the daily trash contains information that could be a goldmine for a criminal looking to exploit it. Moreover, in an effort to “green” its offices, many businesses promote recycling. While this idea is environmentally friendly; it could represent a nightmare scenario for businesses. Recycled confidential paper can sit in unsecure bins at the office until it’s transported to another sorting facility where many people potentially have access to it.

From a company’s risk perspective, there is no responsibility inherent in the recycling scenario. Paper is given away or sold, and in doing so, the company has relinquished control of how it is handled. What’s more, there isn’t a practical way to establish the exact date that a record is destroyed, and in the event of an audit or litigation, this detail is critical. If paperwork of a private nature does surface, this unsecured process could be interpreted as negligent.

Every business produces confidential paperwork. Any business that discards private and proprietary data without the benefit of destruction exposes itself to the risk of criminal and civil prosecution, as well as the costly loss of business. The only means of minimizing this exposure is to make sure such information is securely collected and destroyed. Following document destruction best practices does more than protect your clients…it also protects your business.

To learn more, read the Small Business Guide to Document Security

Preventing Medical Identity Theft as a Healthcare Professional

Wed, 01 Dec 2010 14:13:24 GMT

As a healthcare administrator, your primary job and priority is to provide an outstanding patient experience. From keeping meticulous records to helping patients get the care they need when they need it, healthcare professionals also have had to work hard to meet the new, more rigorous HIPAA regulations.

With the shift to move record-keeping online, medical facilities need to maintain, transfer and destroy information as circumstances dictate. Because patient paperwork contains highly-sensitive information such as social security numbers plus medical and billing information, disposing of it securely is more than a priority – it’s regulated legislation.

Yet, according to stats released in May 2010 by Healthcare Technology News, medical facilities are truly struggling with this challenge:

Fraud resulting from exposure of health data has risen from 3% in 2008 to 7% in 2009, a 112% increase (Javelin Strategy and Research)
Nearly 1.5 million Americans have been victims of medical identity theft with an estimated total cost of $28.6 billion. (Ponemon Institute)
It takes more than twice the time to detect medical information fraud and the average cost is $12,100, more than twice the cost for other types of identity theft. (Javelin Strategy and Research)

What are the causes of these alarming medical identity theft numbers? They are various – from records being accidentally faxed to wrong numbers to sensitive paperwork that is disposed of improperly. Even more disturbing, medical identity theft is much harder to spot than “traditional” identity theft because it takes longer to manifest itself. In fact, it often takes an Explanation of Benefits letter or a denial of claim because someone has reached his/her maximum benefit to alert the victim to the fraudulent activity!

With this staggering rise in medical identity theft, administrators must find solutions that keep their practice 100% compliant, while being streamlined enough to implement and manage. Rather than increase the onus and burden of paperwork on internal employees, it makes sense to keep employees focused on patient care (their primary responsibility) and consider outsourcing certain administrative tasks such as patient record-keeping and paperwork disposal. For example, there are third party companies that specialize solely in the fulfillment of patient record requests and will assume the burden of compliance for satisfying such requests.

Outsourced paperwork disposal companies are also making a positive impact in the medical industry. The tasks of regularly collecting the paperwork, allocating time to destroying it and maintaining the shredding equipment now fall upon the shoulders of the outsourced disposal company. As opposed to a medical practice trying to securely destroy paperwork onsite, these specialists remove the sensitive information and destroy it in a 100% secure manner. When the hard and soft costs associated with destroying the information in-house are calculated, it doesn’t necessarily result in cost-savings for the practice, especially when personnel expenses are added to the mix.

What’s more, the patient is better protected in this model. Records are destroyed by experts whose sole function is to ensure sensitive information is not exposed to outside risk. The medical practice also benefits from the outsourced model because administrators are not as overwhelmed with the more mundane, yet critical tasks, of operating the facility. In addition to removing some stress from the personnel, it also helps protect the medical facility’s reputation. Medical breaches and identity theft make the news regularly, and it isn’t difficult to imagine the large and far-reaching negative impact they would have on a practice.

In the challenging and hectic world of healthcare, destroying sensitive patient information is more than just a moral obligation – it’s also the law. Medical professionals need to take the risk of medical identity theft seriously and take equally serious steps toward preventing it. One such tactic is exploring an outsourced document destruction service. Not only will patients be better protected, but your practice will be too.

To learn more, view our free Preventing Medical Identity Theft Guide

Insider Breaches: Why Security Concerns Have Shifted "Inside"

Mon, 29 Nov 2010 10:00:00 GMT

It can be one of the most painful and costly hardships a company can experience – a security breach or identity theft that originates within an organization. Maybe it was a disgruntled employee or an improperly screened new hire, but regardless of the cause, the consequences are severe. The initial concerns are primarily financial - settling monetarily with the victims and paying any fines. But those problems are just the beginning… the marketing team will be working overtime to control the press coverage and customer service will be fielding calls and inquiries from concerned clients and former customers. All of these challenges add up to a tremendous amount of lost revenue, damaged brand integrity, lost sales opportunities, negative media coverage, closer scrutiny from regulatory agencies and more.

But what exactly constitutes an insider breach? According to the 2009 article, “Myth or not: Most Security Breaches Originate Internally” published by Michael Kassner in the Tech Republic blog, the terms are defined as follows:

Insiders: Consists of current/former employees and contractors that have permission to access an organization’s computer systems and network.
Security breach: Defined as a situation where an individual intentionally exceeds or misuses network, system, or data access in a manner that negatively affects the security of the organization’s data, systems, or operations.

With these definitions in mind, it certainly makes sense that an insider breach would be easier to accomplish than an external one. In the case of a digital security breach and subsequent identity theft, employees will have access to databases that contain confidential information such as billing information, credit applications, intellectual property, proprietary company information, etc. Plus, an insider will likely have an understanding of the security measures currently in place, so it will be that much easier to circumvent them. Armed with the knowledge of how to “beat the system” and the specific personal information they need to commit identity theft, the insider can potentially steal as much information as they are seeking before anyone is aware of the damage.

In the case of traditional identity theft, or a paper-based security breach, an insider has the same advantages as described above, only this time the thief is seeking printed records. Confidential information could be left on employees’ desks, disposed of in a recycling bin or placed in a “to be shredded” waste basket that isn’t properly secured. To complete the crime, the insider simply takes the information or copies it. What makes these breaches even more dangerous is a paper theft will is harder to track because the very evidence is stolen, whereas online identity theft often leaves digital fingerprints that can be traced.

Given the magnitude of such a crime and the potential nightmare it can become for the company, organizations of all sizes should be asking themselves, “What can we do to prevent an insider security breach?”

From a digital standpoint, protection means implementing a variety of security redundancies. One idea is to consider limiting the permissions of various personnel and logins so that very few people have access to the entire database of personal information. Additionally, the IT department can be used as a deterrent by emphasizing how closely visits to certain highly-sensitive portals are tracked. It also makes sense to limit the type of information that can be placed on a laptop or USB stick, so if one is lost, records and confidential information aren’t at risk.

In thinking about paper-based theft, a company must limit the number of opportunities for an insider breach. There must be company-wide processes for the handling and disposal of sensitive paperwork. One idea is to limit access by allowing only the highest level of personnel in the records room. Another thought is to securely destroy records that contain sensitive information once they are no longer needed. A high-quality shredder can provide this type of document destruction, although secure document destruction is so much more than a piece of equipment. It also requires a secure place to hold documents until they are destroyed, timely collection of such materials and destruction in such a manner that they cannot be reconstructed. With these rigorous standards and needs, it may make sense to consider an outsourced document destruction provider who is highly-trained and specialized in this type of service.

While these steps and measures will help prevent an insider breach, it is important to remember another great deterrent – company culture. From the CEO and leadership to customer service and brand ambassadors, creating a company rooted in loyalty, trust and security will help set the expectation that an inside breach is simply not possible when so many employees are committed to “doing the right thing.” Moreover, when this type of culture is merged with the right precautions both digitally and procedurally, the risk for an insider security breach decreases exponentially.

To learn more, download our free Customer Service Guide to Secure Document Destruction and Reputation Management.

Not Knowing the Law Does Not Exempt You From the Law

Wed, 17 Nov 2010 15:17:02 GMT

As business owners, financial executives and C-level officers, your lives are already filled with tons of demands on your time and energy. From managing high-level clients and performing business development to overseeing new hires and making sure operations are running smoothly, the ‘to-do’ list is miles long. While privacy legislation and maintaining a compliant business are likely on your radar, they may slip down the priority chain, given their rather complex and onerous status. Potentially even more frustrating, privacy laws and legislation continue to change and evolve. The steps that constituted compliance 18 months ago may look very different today.

Record-keeping legislation passed in the United States over the last decade such as the Sarbanes-Oxley Act, US Safe Harbor Program and the USA Patriot Act have changed the length of time documents need to be retained, how information is transferred and much more. Similarly, Canada enacted the Personal Information Protection and Electronic Documents Act (PIPEDA) in 2004, which places guidelines on how personal information is collected and used by private companies. On the whole, the legislation has had the desired effect of helping protect individuals’ private information. Yet, as a business owner or executive, these measures have made compliance more difficult and complex.

As the title above states, not knowing the law isn’t an excuse to avoid following it. Consider the Sarbanes-Oxley Act (SOX) passed in 2002, in response to the high-profile corporate investor swindling of Enron and WorldCom. While its major impact is on publically traded companies and their auditing and record-keeping practices, other sub-sectors such as accounting, legal and information management who work with companies on financial and corporate reporting have also been impacted. The penalties for non-compliance can be severe – according to SOX-online.com, “What happens depends on which section of the act they’re out of compliance with. Non-compliance penalties range from the loss of exchange listing, loss of D&O insurance to multimillion dollar fines and imprisonment. A CEO or CFO who submits a wrong certification is subject to a fine up to $1 million and imprisonment for up to ten years.”

The Safe Harbor Program, designed to protect personal information as it flows between the EU and the US, ensures that companies included in the “safe harbor” are taking adequate precautions to protect sensitive information. According to the government site, export.gov, “A company's failure to abide by commitments to implement the safe harbor principles might be considered deceptive and actionable by the Federal Trade Commission. The FTC has the power to rectify such misrepresentations by seeking administrative orders and civil penalties of up to $12,000 per day for violations.”

Given the potential severity of the penalties and fines, what should companies do when confronted with the necessity of maintaining a compliant business? The answers obviously vary given the size of the company and whether it is publically traded or privately held, but one truth remains constant – all companies must pay attention to compliance rules and legislation and take the necessary steps to adhere to them. In addition to enlisting the help of legal counsel to explain the rules, companies also need to investigate the practical realities of implementing such policies and processes. Many of the rules and regulations focus on retaining certain confidential paperwork such as audit records for an extended period of time. Once the retention period is met, the company then must securely destroy such files, both paper and electronic. Additionally, if the company’s compliance is called into question, it must have a way to halt such document destruction quickly.

With these stipulations in mind, an outside document destruction service may be a smart solution. High-quality document destruction providers do much more than simply shred a bunch of papers. They can drop off secure boxes for confidential paperwork to be stored until it is collected, plus provide certificates of destruction once the paperwork is shredded. Additionally, some top-tier shredding providers are training their personnel in compliance and document destruction best practices as well, they are able to assist in the development of your information security strategy. They can help by auditing your organization to make sure security processes are followed and help to ensure your business is adhering to the rules and legislation.

While privacy laws and compliance can feel like a moving target, ignorance is not bliss through the eyes of your customers...or the law. Both the US and Canada have enacted various legislation to protect personal information, and failure to follow these laws can produce punitive penalties and monetary fines. As you take steps to ensure your organization is compliant, look for ways to outsource certain labor and time intensive activities so your company is protected – and able to focus on what it does best.

To learn more, download our guide to Secure Document Processes Critical to Business Success.

Community Shred-it Events - Spreading the word about Identity Theft

Wed, 17 Nov 2010 09:53:30 GMT

Consumer fraud and identity theft are becoming an epidemic in our communities. To raise awareness and to promote prevention, we here at Shred-it are proud to organize Community Shred-it events in the cities across North America, to offer paper shredding services for residents.

These community shredding events give individuals the opportunity to have their confidential documents destroyed on site, either free of charge or with a minimal donation to a local charity or association. Whether it is small business documents you no longer need or personal papers you want to safely dispose of, Shred-it’s trucks contain cutting-edge proprietary paper shredding technology that can handle the job.

Community Shred-it events are also a great opportunity for your community to spread the word about identity theft. Held in both public and private places such as police stations and shopping center parking lots, Community Shred-it events vary in size and in scope. Shred-it has been known to serve as many as 2,000 community members at one community shredding event, with more than 70 tons of paper recycled.

So what’s in it for us, you ask? The answer is simple. Community Shred-it events increase the knowledge of identity theft, making our communities safer places to live. Generating goodwill with potential new clients and strengthening existing customer relationships also makes good business sense.

Read more information on Community Shred-it events, check out our Facebook page for upcoming Community Shred-it events or read our Identity Theft Fact Sheet.

Quick Ways for Healthcare Professionals to Protect Privacy

Wed, 10 Nov 2010 13:53:44 GMT

As a healthcare professional, you’re acutely aware of the rigorous legal and regulatory obligations put forth by HIPAA and other health privacy organizations. What’s more, you didn’t need rules or laws to remind you to take your patients’ security seriously…after all, that’s a critical part of being a healthcare professional. Not only do such steps keep your practice compliant, but also it follows that when your organization is taking a proactive approach to privacy, it will reap the intangible benefits of increased patient confidence and trust.

But, those precautionary measures such as security redundancies, paperwork destruction, etc. can be onerous to adhere to – and can consume valuable time and personnel resources. With this balancing act of compliance versus efficiency in mind, it makes complete sense for your practice to develop procedures and policies that are both 100% compliant and streamlined. By implementing them, your practice will be in a position to prevent such breaches, rather than reacting and responding.

Perform an initial security audit. Identify what data you are collecting, how you are using that data, with who you’re sharing that data and how you are protecting it. Once you’ve completed the preliminary audit, review processes carefully for loops or lapses that could lead to a breach. After the initial audit, you’ll need to plan for quarterly ones to ensure your procedures are compliant with the latest regulatory legislation.
Develop a privacy policy. At its basic level, a privacy policy will clarify what data your practice collects and how it is used and protected. Once the privacy policy is developed, it needs to be communicated to patients as well as internal personnel – plus adhered to!
Respect patients’ information. When you’re subject to HIPAA regulations, you have legal obligations to obtain consent prior to certain processing activities, including most third-party disclosures of information. In most cases, aA patient’s data should be used for health purposes only, such as treatment and payment. A patient’s consent must be sought and obtained prior to engaging in any non-healthcare purposes such as releasing information to financial institutions or selling mailing lists to interested parties.
Develop safeguards and redundancies. As we all know, mistakes can happen – a breach could literally be as simple as transposing two digits in a fax number. Getting back to the first point,Your must ensure your record fulfillment team has a system of checks and balances that ensures the right information is sent to the right place.
Destroy sensitive information securely. Medical identity theft is on the rise, and that’s due in part to the vast amount of confidential patient paperwork that is created in order to maintain compliance. Waste baskets, recycling bins and unsecured file folders can be easy targets for thieves. Access to confidential information needs to be limited, or more practically, destroyed securely. Given the burdens of running a successful and compliant medical practice, it may make sense to consider outsourcing document destruction services. An outsourced model ensures documents are destroyed safely and thoroughly, plus reduces the burden on internal personnel.
Training is essential. Simply put, training cannot be over-emphasized. HIPAA regulations and privacy legislation are continually updated so compliance is a moving target. Regularly scheduled employee trainings help staff stay current on changes. Moreover, by emphasizing training and compliance, you’re able to reinforce the privacy and patient-first company culture.

These suggestions and tips in this brief post are intended to help you find a starting point in reviewing, revising and shaping your internal policies and practices. While some of the suggested tips such as internal audits may seem daunting, others such as outsourcing a document destruction provider, can be implemented quickly and easily – and make a huge, positive impact on your level on compliance.

As your medical practice grows, doubtlessly the challenges of protecting the privacy of customer data will also continue to expand and increase. But, the importance of maintaining a compliant practice cannot be overstated. Not only can violations spell disaster in terms of patient satisfaction and retention but also your medical practice could be exposed to civil and/or criminal prosecution, which could result in large monetary penalties. In the case of privacy protection and taking precautions against identity theft, preventative measures are truly your practice’s best friend.

To learn more view our free Preventing Medical Identity Theft Guide

Reputation: Your Most Valuable and Fragile Small Business Asset

Wed, 10 Nov 2010 13:52:49 GMT

What’s in a name? Your company’s name encompasses so much more than a sign on a wall, a website address and a product or service. It represents a philosophy, the people who work for it, and quite possibly the most valuable asset, its reputation. Larger companies have embraced this mindset for years and promote the importance of reputation in their marketing messages such as Jeep’s new slogan, “The things we make, make us.”

But, you don’t have to be Jeep or a Fortune 500 company to appreciate the importance of a carefully cultivated and maintained reputation. Small businesses need to promote, preserve and protect their brand and reputation, too. In the era of online review sites and social media where everyone (yes, everyone) has a microphone, reputation management matters more than ever for small businesses. In an article published in July 2008 in Small Business Search Marketing, Matt McGee writes, “We’re doing business in an era when search engines appear to be putting greater value on blogs and user-generated content; when customers are more likely to trust the unfettered comments of their peers; and when anyone unfamiliar with who you are and what you do is likely to type your name into a search engine and ‘Google’ you.”

Given the likelihood that potential customers will be researching your brand online before you even know they are interested, it makes sense to turn a careful eye towards preserving and protecting it. Reputation management steps include performing research on your own company and product names, seeking peer to peer feedback and ensuring your customer support quickly resolves any client issues. But what can you do to protect your brand from more insidious reputation problems such as security breaches or identity theft?

Experts caution that small businesses are more vulnerable to identity theft than larger companies because many SMBs lack the internal procedures or security redundancies to protect themselves from such crimes.

Additionally, small businesses typically don’t have the deep pockets to withstand the monetary damages from a theft. What’s more, the very issue at the heart of this post – the importance of maintaining a stellar reputation – is now jeopardized, which could result in lost business.

With the importance of protecting a small business from identity theft, what steps should your company be taking today to reduce the risk?

Develop secure processes for the handling and/or destruction of paperwork containing confidential information.
Invest in software and hardware that provides the latest encryption protection if you complete transactions online.
Create a company culture of responsibility and security. When employees are integrated within the company’s philosophy and values, they’ll feel more empowered to “do the right thing.”
Ensure all new hires are initiated to security processes and understand the importance of following them.

While many of these steps can be handled internally, it also makes sense to consider which of these precautions can be handed over to outside experts. For example, consider having an outside security company audit your informationonline security. They can review your software, hardware, website, etcprocesses and information flow to. and determine if there are any loopholes –is any potential for a breach and make recommendations for how to correct them. Some companies will do this for free.

Another opportunity to seek outside services exists within document destruction. When you think about the sheer volume of paperwork your business produces on a daily basis – billing receipts, credit card transaction slips, employee paperwork and more – there are plenty of opportunities for criminals to harvest sensitive information this information to get into the wrong hands if it isn’t destroyed carefully. And destroying paperwork is comprised of so much more than placing a shredder in the room with the copier.

Considerations for sound document destruction include: professional grade shredding equipment, timely collection of documents and shredding them on site in a secure environment. A quality outsourced shredding company can answer all of these needs, plus provide screened personnel that has been trained in best practices for compliant document destruction.

By understanding the importance of protecting your small business from identity theftsecurity breaches, which in turn protects its all-important reputation, you can feel confident that your brand can stand up to the press and online feedback. Even more important, while we’ve examined the need for secure, anti-theft protocols from a reputation management perspective, these security measures to protect consumers are more than a moral obligation – it’s also the law.

To learn more, download our free Customer Service Guide to Secure Document Destruction and Reputation Management.

Or, read the Small Business Guide to Document Security.

How to Create a Total Security Culture: Eight Practical Tips

Tue, 02 Nov 2010 17:22:27 GMT

As a human resources professional, you’ve felt the sting of a tough economy. Perhaps it hasn’t been as blatant as higher sales goals or pay cuts, but doubtlessly, you’ve been asked to accomplish as much or more than before, with fewer resources. You may have fewer supporting administrative assistants or less people handling the pre-screening of candidates – whatever the changes, the result is the same – your time is more precious than ever.

With this time and money-savings mentality, it can be easy to lose sight of the big picture which is staffing your company with talented, industrious and loyal employees. Nowhere is the integrity of your team more apparent than when considering the unwelcome event of a security breach. Security breaches, which result in identity theft, should be a major concern for companies of all sizes. According to Javelin Strategies, a research firm that reports on identity theft, incidences of the crime increased by 11% from 2008 to 2009 and affected 11 million Americans.

It’s a crime that’s not just costly to the victim. Should your company experience such a breach, it faces costly repercussions such as: negative media coverage, increased customer attrition rates, declining sales, increased scrutiny by regulatory agencies and, possibly the worst consequence of all, a seriously damaged reputation.

With a clear picture of how important it is to prevent identity theft and security breaches, what can human resources do to help?

Spend time on the pre-screening steps. While such measures are a cost to the company in terms of time and resources, they can quickly spotlight a potential new hire’s problematic tendencies. Reference calls, credit audits, background checks, motor vehicle records and drug tests are all commonly employed tactics to help determine if an employee is suitable for hire.
Create security awareness campaigns. Many security breaches committed internally are simply a result of carelessness. Implement regular training sessions for each department to review best practices for internet security, document handling and more.
Implement ongoing training. In conjunction with the IT department, train employees to operate the technology and systems in conformance to all appropriate policies. As a deterrent, include an overview of how activity is monitored and who is notified on any irregular activities.
Educate employees. With identity theft on the rise, thieves have clearly devised new scams and tactics. Educate employees about the latest scams thieves use online, via e-mail, and over the phone to try to get them to divulge confidential information.
Keep employment records immaculate. While the IT department will likely be the resource to deactivate logins and credentials, it is the job of human resources to coordinate such communications. Ensure your company and department has iron-clad communication policies about personnel changes.
Determine who needs access. In keeping with point 5, it also makes sense to conduct periodic audits of employee logins and credentials to ensure their level of access is aligned with their job responsibilities. It is a security best practice to limit access as much as possible, within reason.
Destroy paperwork securely. While recent headlines about identity theft typically revolve around malware or sophisticated phishing scams, stealing confidential paperwork remains a popular way to commit such a breach. Implement a company-wide process for the handling of sensitive paperwork such as billing transaction receipts, credit records, employee paperwork, etc. Considering the vast amount of paperwork produced, and that destroying it securely requires more than a shredder from the local office supply store, it may make sense to turn to an outside, accredited document destruction provider.
Build a culture of trust. From incentivizing quality employee referrals and rewarding outstanding attendance records to company parties or a sympathetic sounding board, the human resources department has many ways to build a culture of trust with employees. Once such a culture is built and cultivated, employees feel committed to the success of the organization and more empowered should they see a security breach or hear of plans for such an event.

All of the tips will ensure your company can combat against identity theft and security breaches. Human resources is in an ideal position to make security a company-wide initiative because it is involved in every stage of the employee’s tenure…and these practical tips are a great starting point.

To learn more, read the Human Resources Guide to a Total Security Culture

The Financial Risk of Poor Document Security

Wed, 27 Oct 2010 11:16:18 GMT

In the business world, profitability is the end-game goal and in order to help achieve this measure of success, businesses are working diligently to control costs. While managing expenses with a keen and watchful eye is important, there are certain aspects of running a successful business that are so important – so critical – that a decision can’t be made based on dollars and cents alone. For example, consider the growing epidemic of identity theft.

Businesses have the responsibility to protect the information they are managing. According to the latest statistics, it is estimated that one in 20 Americans are, or will be, the victims of identity theft and security breaches. In 2009, more than 11.2 million people lost approximately $54 billion dollars. This stat represents a whopping $7 billion increase from the year before!

From stolen wallets to sophisticated online phishing schemes, identity theft can come in almost any shape and size these days. Yet one of the most common openings for identity theft stems from sensitive, personal information being disposed of in an unsecure manner. There are numerous opportunities for such crimes when you consider that credit card numbers, banking information, etc. are commonly printed for billing or record-keeping purposes…yet, how are they disposed of?

Unlike one might guess, the bulk of identity theft does not occur at the hands of a disenfranchised or nefarious employee. Rather, it comes from this highly-sensitive information being left in trash cans or recycling bins where a third party vendor is responsible for disposing of it. Unless the company responsible for removing this paperwork adheres to rigorous disposal standards, sensitive information could be exposed.
The repercussions for such breaches extend far beyond the inconvenience and financial distress to the victims. All potential victims, even if unaffected initially, need to be notified. You may need to offer complimentary credit monitoring services to the potential victims who were exposed. These notifications and services cost money and time.

Just as troubling as the direct impact to victims is the state of your company’s reputation. As word of the breach reaches the marketplace, new prospects may be hesitant to do business with a company who has a track-record of non secure and compliant practices. Moreover, your company will likely be subject to future protocol audits after experiencing such a breach. As one can envision, the financial repercussions of such a security breach extend far beyond the cost to victims.

This worst-case identity theft scenario is preventable, so long as you properly execute and manage the disposal of sensitive information. While a bottom-line, expense-controlling mindset may lean toward an in-house model, securely disposing of sensitive data requires more than purchasing a paper shredder from your local office supplier. Resources need to be allocated to collecting and destroying the paperwork – and it must be shredded in such a manner that the paperwork can never be reconstructed. Additionally, the equipment itself must be maintained.

With these very real hard and soft costs, another approach may be to select information destruction services from a reputable, external vendor. With a business based solely on collecting and securely destroying sensitive data, the outsourced vendor should be able to offer: best-in-class equipment, reliable scheduled pick-ups and an established, secure document destruction protocol -- preferably on site, where all sensitive information is destroyed before it leaves your property. While price can be a consideration, the security of sensitive information has such far-reaching ramifications that you shouldn’t be making a purchase decision based on price alone. Finally, much like properly disposing of sensitive information helps protect your company’s reputation, research outsourced disposal vendors carefully and choose one with a stellar reputation.

With a clear understanding of the magnitude of identity theft and the financial effects for both victims and companies, it makes sense to carefully review your document disposal process. Rather than let bottom-line price control your decision-making, consider what a breach of security could potentially cost your business and how much it is truly worth to minimize that risk by finding a reliable solution that protects your clients and your company.

To learn more, download our guide to Secure Document Processes Critical to Business Success.

How to Protect Your Customers from Identity Theft

Wed, 27 Oct 2010 11:13:17 GMT

Protecting your customers from identity theft is more than just a company’s moral obligation -- it’s the law. All companies should be taking precautionary measures to protect their clients’ information as any type of breach can be devastating. Identity thieves are diligent and understand common mistakes even earnest companies can potentially make in regards to client information. They are clever and have worked out sophisticated security scams which can have a detrimental effect. If a security breach does occur within a company and a customer’s identity is stolen, they will have to deal with a damaged reputation, monetary restitution fees, the loss of customer loyalty and scathing media mentions.

Identity theft was not declared a federal crime until 1998. In the same year, many regulations were enacted across all states to protect customers involved in ecommerce. Every year new and amended legislation is introduced to continue the battle with identity theft. While these safeguards will help prevent and deter identity theft, the paperwork that nearly every business needs to keep for tax and record-keeping purposes must remain protected. Examples of such documents include customer lists, sales statistics, personnel files, account records, credit card receipts, medical records and outdated business records. These thousands of documents that contain sensitive information of customers must be destroyed securely.

A few best practice security breach prevention tips include:

Shred everything on a regular basis. By implementing “shred all” policies, you avoid the risks of human error or poor judgment about what needs to be shredded.
Shred before recycling. Don’t let confidential documents sit unattended in recycling bins
Create a culture of security. Train all employees in information security best practices to reduce human error. Explain why it’s important, and conduct regular security audits of your office to assess security performance.
Think prevention, not reaction. Instead of just dealing with breaches as they happen, develop preventative approaches that are strategic, integrated and long-term, such as eliminating security risks at the source and permanently securing the entire document lifecycle in every part of your organization.

While a company can implement its own paperwork destruction procedures, they also then must allocate the time and resources to ensure the document destruction occurs at regular intervals and the paperwork cannot be reconstructed. Professional document destruction services exist for this very reason and provide more than just state of the art equipment. They can also destroy documents onsite so businesses know sensitive paperwork has not left their premises. Some document destruction services raise the bar even higher with personnel that are trained in identity theft legislation compliance so they can ensure best practices are instituted and followed. By trusting professionals to handle this important part of running an aboveboard and compliant operation, companies are now able to focus on doing what makes them successful without the fear of a major security breach.

To learn more, download our free Customer Service Guide to Secure Document Destruction and Reputation Management

Identity Theft - It Affects More than Just Big Corporations

Mon, 04 Oct 2010 14:30:10 GMT

When we hear about the growing epidemic of identity theft on the evening news, it is typically focused on the large corporations. Yet, the news headlines can be misleading because identity theft and security breaches aren’t limited to big companies.

According to a Business Week article published in July 2009, in a study conducted by Javelin Strategy & Research, small business owners are 25% more likely to be victims of identity theft. How is this fraud committed? Most commonly, small to medium sized businesses (SMBs) are compromised due to online phishing scams, improperly secured credit card transactions or the sloppy disposal of confidential documents. The thieves can be internal personnel, although other likely scenarios include third-party cleaning, maintenance, recycling vendors or external companies.

Criminals tend to find ample targets amongst the SMB sector because these relatively small companies are focused on growing their book of business and often don’t have the resources that larger corporations have to combat thieves and scams. A closer look at such reasons includes the SMBs lack of:

Financial reserves. Identity theft is a cruel financial blow for any organization, but SMBs are particularly vulnerable because their financial position is often more precarious, with much smaller on-hand cash reserves to combat fraud.
Legal resources. Larger corporations typically have onsite legal teams who can provide counsel in the event of a security breach. SMBs rarely have access to such resources and support.
Standardized policies. Many SMBs are so focused on a growth strategy that internal “housekeeping” issues such as security policies and compliance requirements are often relegated to the back burner, leaving them exposed to risk.
Human resource departments. Due to their smaller size, many SMBs don’t employ human resource personnel. Since the onus of keeping employee paperwork secure falls to HR, this omission can expose sensitive information to potential risks. Additionally, HR handles the screening of new hires, so without an HR department, employees may not be screened as thoroughly.

With these considerable challenges in mind, it makes sense to emphasize the importance of keeping sensitive and confidential data secure and reducing the opportunity for theft. It’s also critical to balance the need of reducing this risk with finding a solution that isn’t so costly that an SMB cannot afford it.

One obvious solution is to protect sensitive digital information with the latest security software and hardware. Implementing such a solution requires more than simply buying the latest software package from an office supply center – it makes sense to consult with professionals who can advise SMBs as to what they need to protect themselves and how often they need to update/upgrade the equipment.

In addition to protecting online and digital data, SMBs must consider the risk that paperwork with sensitive information contains. Confidential information left on desks, in wastebaskets, recycling bins or shredded by low-end strip shredders can be stolen, reconstructed and used by thieves. SMBs can tackle destroying the paperwork themselves, but it is time consuming and isn’t cost effective to have employees spend their time shredding. Not only does an SMB need to purchase and maintain high-end shredding equipment, but also the company needs to ensure personnel can allocate time to collect and destroy the information.

Finally, both the US and Canada have enacted more stringent legislation over the last few years to combat identity theft. While these rules are essential, and designed to protect the consumer, they also increase the difficulty of staying 100% compliant. Even more difficult for SMBs, rules and regulations can vary by state!

With a clear picture of the overwhelming importance of protecting SMBs and their clients from identity theft, and the obstacles of bringing such safeguards in-house, it makes sense to consider outsourced providers such as secure paper shredding services. With state of the art equipment, meticulous screening processes and compliance methods that ensure 100% security, an outsourced shredding service can provide peace of mind without bulking up internal processes. Additionally, SMBs will have the added comfort of knowing such companies are abreast of the latest compliance and legal regulations; leaving SMBs to focus on growing their business, without the added stress of identity theft.

To learn more, read the Small Business Guide to Document Security

Medical Identity Theft - One of the Fastest Growing Crimes

Mon, 04 Oct 2010 14:23:37 GMT

From keeping up with the latest technologies to providing top-notch patient care, there’s no doubt that healthcare industry professionals have a lot on their plate these days. But, would you imagine that one of their major concerns has nothing to do directly with patient care? Healthcare practices are spending large amounts of time and money keeping their practices compliant with the latest HIPAA regulations, and working hard to prevent a new trend in crime – medical identity theft.

While it may not be making mainstream headlines, according to Javelin Strategy and Research, fraud resulting from exposure of health data has increased 112% year over year, from 3% in 2008 to 7% in 2009. To put this stat in perspective, medical identity theft is regarded as the fastest growing form of identity theft in America today and it is estimated that each year 250,000 to 500,000 people become victims of medical identity theft.
Just like identity theft, medical identity theft is the act of stealing medical records or medical information of a patient. Both the medical facility and the patient suffer great losses once they are victimized by this type of crime. Imagine this scenario – when you check your mail one day, you find a giant bill from a hospital emergency room, yet you haven’t been to the doctor for anything other than a routine visit in years. So where did this five-figure bill with your name on it come from? The answer –someone stole your information and used it to obtain medical treatment and/or prescription drugs.

Unfortunately, medical theft is a growing epidemic and is largely attributable to the large volume of paperwork medical providers are required to keep, in order to maintain 100% HIPAA compliance. Instances of medical identity theft are commonly reported when:

Patients’ records are accidentally faxed or mailed to the wrong person
Medical records are stolen and misused after being disposed of improperly
Laptops containing confidential information or medical records are lost or stolen
Medical files left unattended in file rooms, on staff desks and in door folders; or unrestricted physical access to sensitive medical files.

While these security breaches might sound relatively innocuous, they are a huge concern. Not only does the medical facility face damage to their reputation and restitution fees, but also HIPAA has enacted legislation over the last year that makes such breaches very expensive – and on a punitive scale. Even worse, the victim may not realize the crime has occurred immediately due to lags in billing cycles so the theft is larger and potentially more costly. As if these scenarios aren’t nightmarish enough, add the fact that someone’s medical records could be tampered with, leading to improper medical care or misdiagnosis.

With these costs to both victims and facilities in mind, preventing medical identity theft must be a high priority for medical facilities. It’s especially critical for smaller practices to take precautionary measures because they may have fewer internal protocols to protect patients…and shallower pockets to weather such an event. Ways to reduce medical identity theft include:

Developing stringent and enforceable policies regulating access to sensitive patient information, as well as the protocols for authorization and authentication of individuals accessing health information.
Designating an annual budget for security management systems
Training employees on current HIPAA legislation and ensuring it is followed
Destroying sensitive documents in a timely manner
Partner with a document destruction specialist to audit your operations to help your organization identify gaps in security.

These preventative measures are a great starting point towards safeguarding sensitive information, but implementing some (or all) of them may not be feasible. For example, staying abreast of HIPAA legislation and what it means to be compliant is an ever-changing target. Over the last 18 months, new legislation has been passed that protects the patient- and places a greater burden of compliance on the practice.

One way medical practices can lighten the load of compliance and reduce the risk of identity theft is to destroy these copious amounts of confidential patient paperwork. Simply put, sound document destruction practices play a large role in protecting patients’ privacy. Properly destroying paperwork that can’t be reconstructed often requires professional-grade equipment plus a secure shredding environment.

Professional document destruction services can offer these security redundancies plus screened employees who are trained in the latest updates to compliance legislation. To be clear, not all document shredding services adhere to such rigorous standards so it’s critical to research such a provider. Once such a quality shredding provider is inserted the document destruction process of a hospital or medical practice, the facility can expect to reduce its exposure to medical identity theft. This shift in thinking and operations does more than protect the medical facility – it protects the patients.

To learn more view our free Preventing Medical Identity Theft Guide

Welcome to Shred-it’s blog, Securing your Information!

Fri, 01 Oct 2010 14:15:17 GMT

Welcome to Securing your Information – where you’ll find posts on topics such as preventing security breaches and identity theft, the importance of information security, the responsibilities of businesses to protect their sensitive information and tips on choosing a secure information destruction provider. We hope this becomes a valuable resource to you and encourage you to share and discuss the posts.