Tips for Board Members: Why the Organization Should be Appropriately Managing Non-Digital Assets

Often, employees are too involved to be able to take a step back and look at the full picture of an organization. That’s where boards are most effective. They can take a 30,000-foot view of the company and provide effective guidance from that perspective. This is especially true with information security. There are so many threats to digital assets that it’s easier to forget a classic physical asset that stores a significant amount of sensitive data: paper.

It’s just as critical to understand how your organization handles paper as it is to understand how it handles digital assets. Why? Because paper can contain sensitive information just as easily as a digital file or email, but often gets overlooked in the stream of information about phishing, firewalls, bits, and bytes.

Due Diligence for Proper Paper Destruction

Imagine outsourcing document destruction to a third-party. Because the company is local and seems reputable, you don’t do much background research on them. They seem trustworthy, so you leave it at that.

Now, imagine experiencing a breach and having no idea how it occurred. You ask, “I thought we were doing everything right—what did I miss?”

Next, you’re informed that the documents you thought were being destroyed were found, fully-intact, at a local dump.

And, instead of being able to place the full weight of blame on the vendor, your company receives a fine from the Attorney General because you didn’t perform appropriate due diligence.

Management of Non-Digital Assets is Critical for Security

That’s why the appropriate management of non-digital assets is critical. We often think of breaches in terms of “malicious users” and “hackers,” failing to realize that the simplest of formats—paper—can provide someone with enough information to wreak havoc at an organization.

If you want to ensure your organization is handling non-digital assets effectively, here are some key questions you can ask:

  • Are we outsourcing storage and destruction of physical assets? If so, who are those vendors? Have we conducted appropriate due diligence?
  • How are documents stored at vendor facilities? Are they protected from environmental destruction (water, fire, etc.)?
  • How are we physically securing spaces where paper documents are stored and used?
  • What about printers? Are files printed and then picked up? Or, do employees need to log in to the printer to accept a print job?

The goal of these questions is to get a better understanding of where and how the company is handling and storing paper assets, then to ensure there are controls around those areas and processes.

Physical assets vary depending on the industry of your organization. Regardless, appropriate security controls are imperative. If you need help determining appropriate controls or assessing the effectiveness of your current controls, LBMC Information Security can help.

This blog is the tenth in a series titled, “Cybersecurity in the Boardroom.” The purpose of this series is to shift boardroom conversations and considerations about cybersecurity so board members, company management, and information security personnel can work together to implement a more effective cybersecurity program.