How to dispose of corporate trash properly

Many companies throw out information that can pose a security or reputational risk.

When preparing a targeted attack against a company, attackers sometimes resort to dumpster-diving, hoping to find useful information. In real life they won’t stumble across 50 valid passwords in a trash can, Hackers style, but cybercriminals can still find a lot of useful intel in company trash.

What shouldn’t go in the garbage

Even the most optimistic trash scavengers do not expect to find a portfolio of documents marked TOP SECRET. Then again, they hardly need huge secrets to discredit a company or put together a targeted attack;  any scrap of corporate dirt or information can help them dupe employees through social engineering.

Compromising trash

Assuming you don’t habitually throw out evidence of dirty accounting or reports on your business harming the environment, the danger lies in personal data, both customer information and that of employees. These days, such a find guarantees attention from regulators and hefty fines.

To this day, however, we continue to see cases that begin with discarded personal data. Despite the many cautionary tales, not all employees realize that, for example, a list of pizza delivery addresses is confidential information. Far more worrisome, medical records with social security numbers, payment invoices with bank card details, and scans of identity documents also get chucked.

What cybercriminals find useful for a social-engineering attack

Cybercriminals can weaponize the information they find in carelessly discarded work documents, envelopes, and digital storage media.

Work documents, even ones that don’t contain classified data, can reveal what the team is doing, the terminology it uses, the processes the company has in place, and more. Armed with such information, an attacker can impersonate a participant in the working process by e-mail or even telephone, helping them draw out additional information or mount a convincing BEC attack.

Envelopes from business letters always indicate the addressee and the sender. Knowing that an employee of company M receives paper documents from representatives of company N, a cybercriminal can, for example, contact the recipient with a convincing request for clarification or send a malicious link that appears to confirm receipt of a real physical document.

Digital media can be a veritable treasure trove of information. A broken smartphone can cough up lists of contacts and messages, useful for imitating the device’s former owner; and flash drives or even discarded hard drives hold tons of work documents and personal data.

Generally speaking, even a lunch delivery bag bearing the name of a company employee offers opportunities for cybercrime, such as, for example, a phishing e-mail with fake links to menu specials or loyalty programs. (That one isn’t particularly popular, of course, but it is real all the same.)

How to dispose of trash properly

As a start, we recommend minimizing or eliminating the use of paper as a storage medium. Doing so will not only help save the planet, but it also neatly sidesteps the problem of disposal.

First, destroy all paper documents that are in any way related to the work of the company. That means all of them, not just those containing personal data. Shred them, envelopes included.

Digital media (hard drives, flash sticks) do not belong in the trash. Your next step is to render them mechanically unusable and take them to an electronics recycling center. Snap disks and flash drives with pliers. For hard drives, use an electric drill or hammer. Remember that there is a flash drive inside every phone and a hard drive inside every computer. If you’re throwing any of them out, first make sure their data is unreadable.

Before throwing away parcels or food delivery bags, tear off and destroy any labels with the name and address of the recipient.

Keep in mind that the security of your business depends directly on every company employee, from the front desk to the c-suite, understanding and obeying these rules. Everyone, regardless of position, needs basic, practical knowledge about handling potentially dangerous information.