As employees of Woodforest National Bank, headquartered in The Woodlands, Texas, arrived for work one recent morning they noticed some activity at the trash dumpster in the back of the parking lot.

A man had climbed inside the dumpster and was throwing trash bags out, while some others had set up a folding table where they were going through the trash. No, it wasn't vagrants looking for something useful or some discarded food. Nor was it identity thieves looking for personal information, such as social security numbers and home addresses. It was members of the internal audit department.

The exercise was part of a data exposure audit to determine if employees were neglecting company policy and putting documents with sensitive information into the trash without first shredding them. "The control is that we have shredders and a company policy to shred sensitive information when discarding it, but how do you test that control?" asks John Liestman, vice president and IT audit manager at Woodforest, who devised the test. The internal audit department now conducts regular dumpster dives at its headquarters and several other locations.

Liestman says it's really the only way to determine if sensitive company information is making its way into the garbage, which, he says, is really no different than disseminating it publicly. "It could easily make it from there to the six o'clock news," he says.

He and his team are on the lookout for such unshredded information as personal information of employees or customers that could be used by identity thieves, loan application data and other sensitive financial information the bank is required to protect by banking regulations, proprietary data about bids or business negotiations that could be used by competitors, management memos or other information about strategy, and anything that could be deemed sensitive or proprietary.

Sending a Message
While Liestman leaves the suit and tie at home on days that he plans to climb into a dumpster and sort through the trash, he says he doesn't mind getting a little dirty to get the job done. He also says the dives serve a purpose beyond testing the shredding control and keeping sensitive information from falling into the wrong hands. "One of the great benefits is that it sends the message to all employees that we take data security—both digital and physical—very seriously," says Liestman. "It promotes the message of security awareness."

With all the focus on cybersecurity, companies might lose sight of physical security. "It's easily overlooked. And what I love about the dumpster dive is that it is essentially free," says Liestman. Even if companies aren't concerned that identity thieves or others could be going through the trash, the risks are still there. In fact, local news stations and newspapers love to do stories on how local businesses are putting sensitive information out with the trash, particularly banks, healthcare businesses, and others that handle personal information.

Liestman says it can also be a good gauge of data security awareness in the organization. If employees are putting sensitive information into the wastebasket, they are probably practicing poor security habits online as well. And he loves the message it sends about internal audit: "We have a responsibility to promote data privacy, so it shows that internal audit is doing everything it can," he says. According to Liestman, the dumpster diving is such a good way to promote data security that it can make employees more aware of phishing scams and promote general control awareness. That's among the reasons he likes to conduct the dives when employees will be arriving for work and are more likely to witness them.

Low-Tech Tracking Devices
To conduct what is essentially a form of sampling, Liestman either takes a ladder down to the dumpster and goes in—he has a trick to bang the ladder against the dumpster and listen for any rustling—or he simply asks the cleaning team to place that day's office garbage in a conference room where they can go through it without the actual dive. Thankfully, he says, his company uses clear plastic bags, making it easier for him to avoid waste from the bathrooms or from the company kitchen.

He also does what he calls, "salting the trash." On the day before the dive, he goes around quietly putting small colored slips of paper coded with location information into the wastebaskets at employees' desks and in common areas. The slips are a way to get a better sense of where the trash is from during the dive and that the sample is inclusive. "It's a way to make sure that trash is going where you think it is going and that when you find something you have a good idea of where it is coming from," says Liestman.

Interpreting the Data
Companies should be careful about how they interpret the results. One thing to remember is that it is a small sample. "It's just one or two days' worth of trash during a whole year, so that can only tell you so much," says Liestman. He sounds another word of caution: You need to be careful with whom you blame for something ending up in the trash. Since documents get passed around the office, the person who is listed on a memo or the person whose printer code is listed may not be the person who threw it out. "You don't want to jump to the conclusion that whoever printed it should be fired," he says. Typically, when the internal audit team finds sensitive documents coming from the same department or area, he recommends data privacy training for that team.

Liestman won't say exactly what he finds in the dumpster, as not to call attention to what might be found in Woodforest's trash, but he says there's reason for doing them. "We do these on a regular basis, and we think there is value in doing them," he says. "Others who do them say they also find value." It's a dirty job, but someone's gotta do it.