About Me

My photo
Bay Area, CA, United States
I'm a computer security professional, most interested in cybercrime and computer forensics. I'm also on Twitter @bond_alexander All opinions are my own unless explicitly stated.

Tuesday, August 24, 2010

On the difficulty of preventing identity theft

A week ago, I was moving to a new house and helping my in-laws move their stuff too.  They've run various businesses in the past, which of course creates LOTS of paperwork, including personally identifiable information (PII).  Since the business in question has ended, it was time to destroy the data.  In the chaos and stress of moving, it would have been easy to accidentally throw the private information out with the regular garbage/recycling.  That sort of mistake happens often, and it's one way personal information gets stolen.  Information security isn't just a matter of high-tech software and log files, it's also about making sure documents are destroyed properly and people can't look over your shoulder when you're accessing confidential stuff.  Preventing loss of data due to dumpster-diving isn't cool, but it's important.

If you're a business (regardless of the size of the business), you're going to generate paperwork.  The way you prevent this sort of problem from arising is by creating a clear document policy.  Take a page from the government and assign your documents to clear, simple categories.  For example, "not private", "internal use only", "secret", etc.  Clearly define who can have access to what document type, and make sure anything secret isn't in a location where untrusted people like visitors, janitors or contractors can wander across it.

For any kind of PII, intellectual property or trade secrets, establish how long you need to store it and securely destroy it (shred, incinerate, etc) when it's past the expiration date.  If you keep up with your document destruction duties, it won't become an overwhelming pile that you need to destroy right now!  That's how mistakes happen and a file/database of bank accounts ends up in the dumpster for some opportunistic thief to steal.

Everyone should have a shredder for this sort of task, but if you're a business you may be better off using a document destruction service.  Typically, they leave some sort of locking container for you to place your confidential information into, and collect it at regular intervals.

No comments:

Post a Comment