Monthly Archives: November 2019

Paper can be ‘hacked,’ too – the forgotten document problem

Larry Ponemon

It doesn’t take the stealth and sophistication of a cyber attacker to cause a data breach. A careless employee leaving a sensitive document in a communal printing tray or a malicious insider intent on stealing information in documents that have not been properly destroyed can result in the loss or theft of critical information assets.

Sponsored by Shred-it, the research reveals the inadequacies in organizations’ policies regarding the protection of confidential documents in the workplace. Ponemon Institute surveyed 650 individuals who work in both IT security and non-IT positions in North American organizations. All respondents are knowledgeable about their organization’s strategy for the protection of confidential and sensitive information.

“The report reveals two key factors about information security in North American businesses– employee negligence, intentional or not, can be a leading contributor to data breaches and that businesses should equally consider the needs for cybersecurity and physical information security within their organization,” said Ann Nickolas, Senior Vice President, Stericycle, the provider of Shred-it information security solutions. “Although cybersecurity is no doubt an important element of protection, businesses should look to strike a balance between investing in physical security and cybersecurity, as well as integrating better communication with employees on risk factors, to best arm themselves against potential breaches”

Many data breaches involve the loss or theft of information contained in paper documents and electronic devices. According to the findings, 68 percent of respondents say their organization experienced a data breach in the past 12 months. Of these respondents, 69 percent say one or more of these data breaches involved the loss or theft of paper documents or electronic devices containing sensitive or confidential information.

Why documents containing sensitive and confidential information are at risk:

There is a security disconnect in the protection of confidential documents. The chief information security officer and chief security officer are most responsible for protecting confidential information, according to 21 percent and 18 percent of respondents. However, they rarely have responsibility for granting access to paper documents or electronic devices containing sensitive or confidential information.

Most companies are not training employees about secure disposal. Only 45 percent of respondents say their organizations have a process for disposing of paper documents containing sensitive or confidential information after they are no longer needed. Less than half (46 percent of respondents) say their organizations are training employees about the steps they should be taking to ensure documents are appropriately disposed of. Furthermore, very few respondents say their organizations automate restrictions to print from specific devices and to print specific files, 29 percent and 27 percent, respectively.

Organizations are not taking basic precautions to prevent the loss or theft of confidential documents. Confidential documents are not secure because few organizations are requiring employees and contractors to lock their desks and file cabinets (38 percent of respondents). Only 33 percent of respondents say they prevent unauthorized access to document storage facilities and 31 percent of respondents say a clean desk policy is enforced.

The lack of policies and training for the secure disposal is having an effect on respondents’ confidence in keeping confidential documents secure. Only one-third of respondents have confidence in their organizations’ ability to govern the use, protection and disposal of paper documents. Fewer respondents (26 percent) have confidence in having visibility into what employees are doing with confidential documents.

Organizations are unable to restrict employees’ access to paper documents they should not see. Most respondents (61 percent) are unsure or disagree that the protection of paper documents is just as important as the protection of electronic records. As a result, 60 percent of respondents strongly agree or agree that employees, temporary employees and contractors have access to paper documents that are not pertinent to their role or responsibility.

Only 37 percent of respondents strongly agree or agree that it is convenient for employees and contractors to destroy paper documents with sensitive and confidential information. The fact that only 41 percent of respondents agree employees and contractors recognize the types of information that are sensitive or confidential demonstrates the lack of training in organizations.

Confidential documents are left in plain sight. Sixty-five percent of respondents are concerned that employees or contractors have printed and left behind a document that could lead to a data breach. Even more respondents (71 percent) admit they have picked up or seen a paper document in a public space that contained sensitive or confidential information.

More than half (51 percent of respondents) say they either keep the document or throw it in the garbage. Only 33 percent of respondents say they shred the document after reviewing it.

Sensitive or confidential information is exposed because of sending and receiving emails not intended for the recipient. Seventy-seven percent of respondents admit to sending emails containing sensitive or confidential information to the wrong person. Eighty-eight percent of respondents say they have received such emails.

In the report, we provide a deeper dive into the key findings. The complete audited findings are presented in the Appendix. We have organized the report according to the following themes:

  • Steps taken to protect confidential information in paper documents and electronic devices
  • Reasons for the insecurity of confidential documents in the workplace
  • The practices of organizations that are confident in their ability to protect sensitive information in paper documents

Read the full report at Shred-It’s website.



Smartphone hijacking hits the big time; how to protect yourself

Bob Sullivan

It was a shock in August when Twitter CEO Jack Dorsey’s Twitter account started sending out racist Tweets.  He’d been hacked, of course, but perhaps the biggest shock of all was how easy it was — @Jack was the victim of simple SIM card swapping.

SIM “hacking” isn’t new — basically cell phone hijacking — but it’s become much more important of late, for a whole host of reasons. The biggest: Our smartphones have become our new passwords, so criminals who can control the gadgets can control our digital lives.  We’ve spent years (rightly) pushing consumers towards two-factor authentication, but as so often happens in the world of security, we’ve traded one problem for another. We all agree that Social Security numbers make terrible passwords, so we’ve switched to phone numbers now.  And the fallout is just beginning.

Everyone who’s ever upgraded their cell phone at home knows what a SIM card swap is.  You tell your mobile provider to send your calls and texts to your new phone, rendering the old one useless.  This can involve literal swapping of a SIM (subscriber identification module) card. Today, it often happens via software and over-the-air updates. Easy enough.

The problem occurs when a criminal convinces a mobile provider to “upgrade” your phone to a phone they control. That means the criminal is now able to intercept all calls and text messages headed to you.  Big problem. If your bank is looking to authenticate you with a 6-digit code at login, well, there goes that security method.  And if you are the CEO of Twitter, a SIM card swap hack can give criminals a chance to publicly embarrass you.

It should also make you think: Wouldn’t Twitter Jack have pretty tight controls on his account?  Yet still criminals were able to access it? Can you think of anyone else with a high-profile account that would make a juicy target for hackers?

You are a juicy target, too. I’ve written a lot about theft from Zelle and other P2P payment accounts recently. Some victims have no idea how it happened, leading me to imagine that in some cases, SIM card swapping could be at play.  Really any account that relies on an SMS text message for login could be a target.

If you are a smartphone owner, this should make you personally nervous. Think of all the things criminals could do if they could access your text messages.

Mobile providers are trying to fix this problem, but they are a long way from having a great solution, In the meantime, you have to act to protect yourself. I’m really glad Liz Weston wrote about this recently for the Associated Press and NerdWallet. You should read her story in the Washington Post, which includes a few thoughts from me. But here’s my need-to-know information for you.


  • Know the signs: If you are the victim of a SIM Swap, your handset suddenly won’t work. Texts won’t go through. That might look to you like you just hit a spot with no cell signal, but your phone won’t show a weak signal: It’ll show no signal.  If this happens, be on heightened alert. Maybe it’s a false alarm. But now you know that maybe it’s a sign you’ve been hacked. Now, time is of the essence. Criminals aren’t doing this for fun, they are doing this to steal money.
  • Have an emergency plan: If your phone is hacked, it won’t work. So you can’t count on calling customer service to ask what’s wrong.  Your phone won’t work! Do you have a second phone, or quick access to one? Do you know how to Tweet at / email customer service, or use Skype from a laptop?  When a SIM hack happens, you need to reach out to your mobile provider fast. Have a plan for that.
  • Teach customer service: When you reach an operator at your mobile provider, don’t count on him or her knowing what’s going on. SIM Swapping is still new to some of them.  You might have to teach them what it is. Keep this story handy, or Liz Weston’s story. Send them to my website.  The quicker you get past front-line customer service to a knowledgable operator, the less time hackers will have to root around your digital life.
  • Use Authenticator, not SMS: Two-factor authentication is good. But using SMS/text messages as that second factor isn’t great.  Many sites allow use of a token generator, like Google’s Authenticator app. That’s a much safer way to protect your accounts than text messages.  Make the switch now, while you’re thinking about it.
  • Consider adding a PIN code. Yes, another one. To your mobile account.