Paper Shred Sizes (and What They Mean)

March 30, 2023 at 2:14 pm by Amanda Canale

When destroying any end-of-life data, whether it be paper, hard drives, solid state drives, or other forms of media, there are very strict guidelines and laws that address how classified, top secret, and controlled unclassified information (CUI) should be disposed and securely destroyed. These requirements are determined by the National Security Agency (NSA) and the National Institute of Standards and Technology (NIST). 

For further context, the NSA mandates specific final particle sizes for top secret and/or classified data, regardless of the media form. They then evaluate and list end-of-life data destruction solutions that follow these mandates for destruction. (For a list of media destructions solutions evaluated and listed by the NSA, click here, and for more information what each data classification type really means, click here.)

While the federal government and government organizations are strict when it comes to how one should destroy end-of-life information, commercial companies and industries like healthcare, finance, banking, and more, are less stringent with their destruction instructions, with some left open to interpretation. 

Enter the DIN Standards. Also known as Deutsches Institut für Normung, DIN originated at the German Institute for Standardization in 1917 as a non-government organization that serves as the national standard when it comes to improving the rationalization, safety, environmental protection, and quality assurance between the government and the public. DIN is not often mandated but their guidelines serve as a widely accepted global standard while providing clarity to otherwise vague end-of-life information destruction mandates. 

DIN 66399 standards specifically provide end-of-life destruction particle size guidelines for information that resides on a wide range of media – including paper – and that specifies protection categories. (You can find more in-depth information about DIN standards here.) 

Even as we get further and further into the Digital Age, there is still such a high demand for paper. Some may say that paper is dead, but we know that paper will never really be dead. While the industries I listed above are not holding government secrets, they still store a lot of their sensitive and unclassified information on paper; information that needs to be securely destroyed or could result in severe consequences if it lands in the wrong hands.

Now that you have all of this background information, let’s get into why you’re here – what constitutes as a secure paper shred size? 

Seven Specific Security Levels 

P = Paper media requirements

Protection Category

Media Paper

Security Level

Security Level Particle Size Requirement

Class 1

P

1

12mm strips or maximum particle surface area of 2,000mm²

Class 1

P

2

6mm strips or maximum particle surface area of 800mm²

Class 1

P

3

2mm strips or maximum particle surface area of 320mm²

Class 2

P

4

Maximum cross-cut particle surface area of 160mm² with a maximum strip width of 6mm = 6 x 25mm

Class 2

P

5

Maximum cross-cut particle surface area of 30mm² with a maximum strip width of 2mm = 2 x 15mm

Class 3

P

6

Maximum cross-cut particle surface area of 10mm² with a maximum strip width of 1mm = 1 x 10mm

Class 3

P

7

Maximum cross-cut particle surface area of 5mm² with a maximum strip width of 1mm = 1 x 5mm

Here’s what each of these security levels look like:

DIN Level P-2 Paper Shred with penny for size comparison
DIN Level P-2 Paper Shred
DIN Level P-3 Paper Shred with penny for size comparison
DIN Level P-3 Paper Shred
DIN Level P-4 Paper Shred with penny for size comparison
DIN Level P-4 Paper Shred
DIN Level P-5 Paper Shred with penny for size comparison
DIN Level P-5 Paper Shred
DIN Level P-6 Paper Shred with penny for size comparison
DIN Level P-6 Paper Shred
DIN Level P-7 Paper Shred with penny for size comparison
DIN Level P-7 Paper Shred
DIN Level P-7+ Paper Shred with penny for size comparison
DIN Level P-7+ Paper Shred, a 50% smaller particle size than NSA mandate for paper, produced by SEM Model 344.

As you can tell based on the table and photos above, P7 is the smallest, most secure particle size (aside from the 0.8mm x 2.5mm particle from our Model 344, which is half the size mandated by the NSA for classified paper). Essentially, the smaller the particle, the harder it is to put back together. 

Why would you want to put a bunch of paper shreds back together? To get top secret information, of course! 

Allow us to introduce the DARPA Shredder Challenge. The challenge was created by a research and development agency of the U.S. Department of Defense back in 2011. The DoD invited top computer scientists and puzzle enthusiasts to essentially reconstruct paper shreds for a grand prize. 

The challenge ended when the winning team, who went by the name, “All Your Shreds Belong to US”, created an algorithm that automatically reconstructed the 10,000 pieces of paper based on various physical aspects of the shred, such as shred angle, shred size, and paper marks. Other teams used strategies ranging from crowdsourced-style methods to relying heavily on manual reconstruction. 

When it comes to end-of-life data destruction, it is always best to err on the side of caution. By opting for in-house data destruction methods, you and your company or agency are making the most cost-effective, safe, and secure decision. At SEM we have an array of high-quality NSA listed/CUI and unclassified paper shredders to meet any regulation and mandate, ensuring all of your end-of-life paper stays end-of-life. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your destruction needs.

Data Privacy Day

January 30, 2023 at 5:10 pm by Amanda Canale

Every year on 28 January, the National Cybersecurity Alliance (NCA) dedicates the entire week and 28 January specifically to bring awareness to the public on data protection and data security best practices. Even though we are diving deeper and deeper into the Digital Age, there’s still a large population of people who are not tech savvy, or frankly, even tech literate. The annual international campaign is called Data Privacy Day (DPD), and heavily focuses on educating people, both individuals and businesses, on how to comply with privacy laws and regulations. Moving forward, this will help the public know how they can better protect and manage their personally identifiable information (PII).

Millions of people across the globe are unaware of the various ways their PII is being used, collected, and shared, with many not knowing it’s also being sold by third parties. It’s this reality specifically why the NCA targets anyone with any sort of online presence. How did Data Privacy Day get its start? This internationally recognized day was initially established in 2008 in North America as an extension of Data Protection Day in Europe, which has been in effect since 1981. It is the first legally binding international treaty to recognize data privacy concerns. 

Last year, the NCA expanded Data Privacy Day into a week-long initiative called Data Privacy Week. The week-long campaign, lasting from 24-28 January, is filled with various steps, goals, and webinars individuals and organizations alike can make and attend as a way of encouraging transparency about how their PII is being used. 

You can find a full list of Data Privacy Week events here on the NCA’s website. Below, we break down the major takeaways both individuals and organizations should take from the week-long event.

Data: The Story of You

While you may not think your information is important or valuable, there are plenty of people out there who would do almost anything to obtain it. When it comes to keeping our PII and personal health information (PHI) safe, it is crucial to think of your personal data as the most valuable thing you own. If you were hiding some flashy, expensive, and highly coveted family heirloom, you would do anything to protect it, right? Think of your personal information as that heirloom; it is the most precious thing you have. Critical information such as your IP address, purchase history, and location can offer hackers a wealth of knowledge as to your income, spending habits, card information, and where you live. 

Know what to expect in the privacy/convenience tradeoff

Think about the last time you downloaded an app. What kind of information did you have to grant the app access to in order to use it? Share your geographic location? Grant access to your contacts and photo albums? For example, why does a puzzle app need access to my contacts and location in order for me to play? By allowing access to these very personal and private forms of information, you may be offering up much more than necessary.

When releasing or posting any private or personal information, it is best to make informed decisions on what you should do: weigh whether or not the information they are asking for is really necessary, how the benefits weigh against the tradeoff, and, honestly, if you really need the app at all. 

Adjust your privacy settings

If you decide to deem that puzzle app worthy of your phone storage and time, try to take an extra moment or two to review the app’s privacy and security settings, and adjust them to your comfort level as necessary. (I know, who even reads an app’s Terms and Agreements anymore, right? Wrong! You should!) While you’re at it, delete those apps you no longer use. In addition to taking up useless storage on your phone, they could also still be collecting data about you and your habits. 

You can get a head start with NCA’s Manage Your Privacy Settings page to get more information.

Protect your data

While data privacy and data security are not interchangeable, they are in fact a packaged deal. By adopting these practices, such as creating long and intricate passwords, utilizing multi-factor authentication when possible, and using a password manager you can continue to keep your passwords and information secure and up to date. 

Organization Level: Respect Privacy

As an organization, your consumers’ and customers’ private data should be your utmost concern. By respecting their data and being transparent, an organization instills trust which will in turn enhance reputations and company growth. 

Conduct an assessment

In a “post-COVID” world, more than 15% of total U.S. job opportunities are now remote. Regardless of if your organization operates fully remote, in a hybrid model, or is even located outside of the continental United States, it is important to understand the privacy laws and regulations in which your business operates and to ensure they are being followed. Especially when working with remote or hybrid employees, it’s best to reevaluate your security measures, access to individuals’ personal information, what that personal information may be and if it is still relevant to keep on file, and to maintain oversight of any outside partners and vendors as well to ensure they are not misusing your consumers’ information. 

Adopt a privacy framework

By adopting a privacy framework that works best for you and your consumers, an organization can help mitigate potential risk and implement a privacy culture within your organization. The NCA recommends reviewing the following frameworks to start: NIST Privacy FrameworkAICPA Privacy Management Framework, and ISO/IEC 27701 – International Standard for Privacy Information Management.

Educate employees

By creating an office culture surrounded by data privacy and data security, you are educating your employees on not only how to keep their personal information safe but how to better serve your consumers and their information. Engage staff by asking them how they view your current privacy culture, implement mandatory training and webinars, and consistently assess your current standards. 

In addition to these methods, transparency about how your collect, use, and share consumer information is crucial. Be up front and honest with your clients, users, or consumers about what they can expect their information to be used for and offer them other settings to protect their information by default.

And lastly, when your information-bearing media reaches end-of-life — whether hard drives, portable IT storage, or even paper — securely destroy it to prevent leaks and data breaches down the road.

Cybersecurity Awareness Month

September 29, 2022 at 7:27 pm by Amanda Canale

In 2004, the U.S. President and Congress declared Cybersecurity Awareness Month to be held every October. This would heavily encourage, educate, and assist citizens in staying safe online and teach them how to protect their information. Every year, the NCSA creates an engaging and informative campaign in order to raise awareness about cybersecurity and this year’s theme is “See Yourself in Cyber.”

Enable Multi-Factor Authentication

While data privacy and data security are not interchangeable, they are in fact a packaged deal. Implement and enforce best practices such as creating long and intricate passwords and utilizing multi-factor authentication when possible. What is multi-factor authentication? It’s just adding one more small step of the login process. 

First step: log in as usual. 

Second step: complete a second task to confirm your identity. (Think of it as bringing your license and a recent utility bill to confirm your identity at the bank.)  

The second step in the multi-factor authentication process is usually providing a special PIN code that was texted or emailed to you, or opening an authentication app. This is just an extra layer of security you can use when accessing sensitive information.

 

Use Strong Passwords

Verizon Data Breach Investigations found in a 2020 study that approximately 81% of all data breaches are caused by hackers easily accessing their sought after accounts. How are they able to easily access them, you ask? Two words: weak passwords. 

When companies, managers, and individuals fail to adhere to password guidelines, do not offer password training to your team and fail to educate themselves, and forgo multi-factor authentication procedures, businesses continue to put their cybersecurity at risk.

If you’re now second guessing your own passwords, good. If you’re not, we’re judging you a bit. (Don’t worry, we won’t leave you stranded.) Weak passwords are any sort of phrase or term that is common, short, and/or predictable such as the owner’s name, birthday, or the literal word, “password.” Instead, experiment with a longer password made up of a mix of upper and lowercase letters, numbers, and symbols to help keep your password and data safe. Essentially, the more complex the password, the harder it is for cybercriminals to hack your information.

 

Recognize and Report Phishing

We’re all humans and we all make mistakes. It’s inevitable! Unfortunately, mistakes have consequences. According to a 2019 study, more than 80% of reported data security incidents were caused by phishing attacks. When you interact with a suspicious email link, an attachment, and even senders, your risk of falling victim of a phishing scam rises every time. In today’s modern digital age, hackers have become upped the creativity when it comes to these sneaky scams. If an email or email address looks a bit off to you, it’s always best to either delete or send to your IT department to investigate.

Update Your Software

Regardless of the industry you’re in or kind of organization, having up-to-date, proper cybersecurity protocols and methods in place (in addition to proper in-house end-of-life data destruction!) should always be a priority. It is far too easy for hackers to access and steal sensitive data when your cybersecurity software is not up to date. Check with your business’s IT department or do your own research to make sure you are not ignoring any updates or downloading unauthorized software. It’s also important to note that one should never disable their software’s security features, especially if it is on a work-issued computer or laptop. Your online shopping can wait until you are in the safety of your own protected network and home.

To find out more about Cybersecurity Awareness Month, visit their website here.

10 Cybersecurity Tips for Small Businesses

November 15, 2018 at 4:02 pm by Heidi White

Information Security — The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

Cybersecurity — The ability to protect or defend the use of cyberspace from cyber attacks. —”Glossary of Key Information Security Terms”, NIST IR 7298

cybersecurity-dataIn today’s digital world, threats to cybersecurity are everywhere. Data breaches are rampant and indiscriminate, affecting businesses of all sizes from small mom and pop shops to massive organizations like Target and Massachusetts General Hospital. Cybercrime is one of the fastest growing illicit activities today, and businesses are now wondering not if they will be a victim of cybercrime, but when. With key preventive measures including employee education, established policies, and implemented best practices, proactive companies can avoid becoming yet another statistic in the world of cybercrime. As longstanding experts in sensitive data security, SEM is pleased to share these 10 cybersecurity tips for small business.

1. Educate Employees

employee-data-breachThe fact that human error is by far the biggest contributor to data breaches cannot be overstated. Educating employees on safe email usage, avoiding phishing scams, ensuring safe social media practices, and safeguarding personal information is critical to the success of any cybersecurity policy. Ensure that employees are using password best practices including updating passwords every 90 days, at a minimum. Also, educate employees on the importance of secure socket layer protocol and to never submit company or personally identifiable information (PII) over an unsecured network.

2. Implement a Device Policy

As business becomes more mobile, so do the possibilities of data theft. If employees’ devices such as phones or laptops have access to confidential company data, require that employees encrypt data, password protect their devices, and understand reporting procedures in the event of a data breach. Employees who work from home should be required to protect their home network behind a firewall.

3. Always Update

update-softwareAntivirus protection, operating systems, system software, and company firewalls only work to protect against breaches when they are kept up to date. As security threats constantly evolve, so do software patches and updates. Install updates as soon as they are released and implement a clear software update policy.

4. Establish IT Best Practices

Standardize a backup plan for all data on the network, including HR files, payroll information, spreadsheets, documents, and all other critical information. Only allow IT staff and key personnel to install software or have administrative rights to company devices. In addition, credentials should be required for access to any company device, and all employees should be given their own unique user names and strong passwords. Encrypt and hide the company’s WiFi network to avoid outsider access.

5. Identify Threats, Vulnerabilities, Likelihood, and Risks

threat-vulnerability-riskThreats come in the form of cyber or physical attacks, human error, accidents (natural or manmade), or resource failure (software, hardware, etc.), while vulnerabilities are the causes of these threats and include items such as outdated software and hardware, untrained staff, and minimal policy enforcement. Likelihood combines the threat with the vulnerability and assigns a rating. For example, the threat of being exposed through a phishing scam combined with inadequately trained staff equates to a high likelihood rating. Once threats, vulnerabilities, and likelihood are explored, a risk assessment can be formulated along with resulting consequence. At that point, the decision to accept or mitigate the risk can be made. Acceptance of the risk should only be considered if the consequences or the likelihood are low.

6. Establish a Data Breach Response Plan

Just as an Emergency Response Plan (ERP) is critical to minimizing loss of life during a natural disaster, so a Data Breach Response Plan is critical to mitigating data loss and resulting expense in the event of a data breach. An effective Data Breach Response Plan should include items such as the following:

  • Documentation of events prior to and immediately following the discovery of a data breach
  • Transparent and immediate communication to all employees including how they should respond to external inquiries and the press
  • Activation of a designated response team, in particular legal council, to determine if regulatory agencies or law enforcement should be notified
  • Identification of what caused the breach as well as implementation of a plan of action to fix it
  • Plan of action based on legal counsel with regard to compliance regulations and other mandates affecting messaging, notification, and possible compensation to breach victims
  • Messaging and schedule for notification of those with compromised data

As with an ERP, a Data Breach Response Plan must be continually updated — annually at a minimum.

7. Communicate ROI

Many companies discount the implementation of a sound cybersecurity policy due to costs that are not easily justified. While the fact remains that no tangible Return on Investment (ROI) for a cybersecurity policy exists, the potential cost of NOT implementing one could be catastrophic. According to the 2017 Cost of Data Breach Study, the cost per record for a data breach was $255, with the average total cost of a data breach being $3.62 million. A cybersecurity policy, and the associated costs, are critical to the protection of a company’s data — and resources.

8. Talk to a Professional

Businesses who do not have dedicated IT professionals on staff or whose IT staff is not fully trained in cybersecurity should consider hiring an outside consultant to implement their cybersecurity policy. As previously stated, ROI for such a hire is not readily apparent. However, one breach can spell disaster — including business closure — for some smaller companies. The cost of hiring a professional to set up an effective data security policy far outweighs the potential risk and subsequent cost of not doing so.

9. Establish an Information End-of-Life Policy

SEM devices meet all compliance regulations and shred hard drives to client specifications.

Often overlooked, information end-of-life policies are critical to a successful cybersecurity plan. The most comprehensive cybersecurity policy still presents high risk if retired or failed data storage devices are improperly disposed of or discarded. Security-minded organizations must identify the confidentiality of the information, the media on which it is stored, and any required regulatory compliance measures. All PII should be considered confidential information that needs to be sanitized prior to disposal. Several methodologies of data disposal exist, from erasure to degaussing to shredding to disintegration, and the best solution is typically identified through a consultation with a data disposition expert.

10. Explore Cyber Insurance

Cyber insurance is not for everyone, but it makes sense to have the conversation with an insurance broker — but only AFTER a security program is already in place! Rates and qualifications have not been standardized and are solely based on overall business security health and ensuing risk.