Everyone will agree that it a lot easier to throw old documents into the “blue bin” and have someone else deal with the destruction. It is also a lot easier to just have that asset management company pickup your retired computers for recycling. No mess and no fuss, right?
Who are these purveyors of the blue bin or recycling companies? These 3rd parties may advertise themselves as security experts and that they they will “totally sanitize” your information. They may also be a member of NAID, an association that has attempted to be an overseer of best practices for these 3rd party destruction companies. While NAID does an adequate job and publishes a significant amount of information and education to the 3rd party destruction community, in the end, it is the integrity and competency of the 3rd party that you as the owner of the information needed to be concerned with.
Yes, a 3rd party will give you a Certificate of Destruction, but if your information is breached, that certification is not worth the paper it is written on. In a past life, I was in charge of a golf ball manufacturing company. Surprisingly, golf ball manufacturing is a complex process that requires significant prototyping of new ball designs. Many of these prototypes would need to be destroyed for one reason or another. I relied on a 3rd party, who supplied me with a certificate of destruction, for a number of prototype ball designs that were supposedly destroyed. It only took a month for these prototypes to start showing up on the internet even though I had the certificate of destruction! Moral of the story, you cannot rely on 3rd parties for your most sensitive destruction. As such, for more certain control, we brought the destruction of prototypes “in-house”.
I am not saying all 3rd parties are incompetent, farthest from the truth. There are a number of very qualified and competent destruction companies out there that can be relied on to perform the destruction properly. I am recommending that there is a happy medium as to what should and should not be relegated to 3rd parties. I would recommend you need to start with the whole population of information you need to control and characterize it in level of importance. The U.S. Government is a leader in the characterization and control of sensitive information and I have taken some of their more common classifications and commercialized it for the private sector.
Controlled Unclassified Information, (“CUI”) and/or Personal Identifiable Information (“PII”) is information that is sensitive but may not be specific to a business. This classification may include general account information and some personal information (without account numbers).
Secret is information that needs to be protected such as trade secrets, credit card information, bank statements and if this information is breached, could cause damage to the company or individual both financially and reputational.
Top Secret information is the most sensitive information and if compromised will cause significant damage to you and your business. Information would include: social security numbers, customer credit card information, trade secrets, and business plans just to name a few.
The exception to the above classifications is hard drives, regardless of their use. All electronic media should be considered top secret due to the sheer volume of information stored on this media and the ease at which information can be breached.
Most information should fall into the CUI and/or PII category. Once you have characterized the type of information you have, you then need to determine the best level of destruction or sanitization. For your secret and top secret information, I recommend cross cutting everything yourself. Again, you need to ensure the destruction of the information. I also recommend having a specific plan in place with your information technology organization to ensure that all hard drives, regardless of origin, are destroyed/disabled before a 3rd party recycler is allowed to take the drives. Include phones and tablets as part of the “need to destroy/disable” before giving up to a 3rd party as well.
So, as Smoky the Bear says, “Only you can prevent forest fires.” And if you have a security breach, only you will bear the results.