Recent events have left businesses more aware than ever of the dangers of poor data security. This awareness, combined with increasing regulation, means that taking appropriate steps is essential.
However, although nearly three quarters of small businesses had some sort of data breach in 2015, many still have no plan for how to deal with security threats. Many people associate data threats as being invasive or related to cyber activity, yet many security breaches can be traced back to poor data handling or internal error.
In May 2018 the EU General Data Protection Regulation transition period ends, meaning that businesses can no longer afford to neglect protecting vulnerable data and safely disposing of end of life equipment.
Data breaches have a serious impact on consumer confidence, however it is still far too common to find businesses who can’t offer assurances that sufficient measures have been taken to prevent or mitigate the risks of data breaches without proper processes to ensure that sensitive data is secure or destroyed in a responsible and reliable manner.
Rising information value
The GDPR means that the maximum penalty from the Information Commissioner’s Office for a data breach (currently £500,000) will rise in May to 4% of a company’s global turnover or €20 million for each breach investigated and proven.
While this shift is focused on ensuring the fines for data breaches are an effective deterrent for large companies who may not be significantly impacted under the present system, it is by no means irrelevant to small and medium enterprises.
Efforts to protect against cyber threats are important, but they cannot be effective without similar precautions regarding physical data security. Every year systems are overhauled or upgraded, leading to massive amounts of equipment for disposal – which often holds data which remains sensitive even after the technology holding it becomes obsolete.
The everyday casual attitude to waste too often is applied even where greater care is needed. IT equipment continues to require appropriate handling even after it is no longer in use, but how many organisations have relevant processes in place? And how many of those processes are sufficient?
From the physical storage for key data being placed in unsecured areas to recycled equipment resold after amateur or non-existent data destruction – news stories of physical data protection failures are all too common.
Data protection and the law
Many companies simply don’t have the information necessary to put together appropriate asset disposal protocols and are dependant on third-party service providers of variable quality. It is therefore essential that when selecting a vendor consideration is given to the vendors ISO certifications, in particular ISO 27001 Information Security Management. IT asset disposal (ITAD) service providers should also have security cleared staff and the ability to provide a fully auditable data destruction process and certificates confirming the destruction of data.
Under the new GDPR the originators of data and the contractors to destroy the data will be held jointly responsible for ensuring safe data destruction and, should a breach occur, are jointly liable for the fines. Furthermore, it is the responsibility of the data originators to ensure that they have contracted a credible and compliant supplier.
As technology moves forward the procedures surrounding it must also develop to keep up. Solid State Drives (SSDs) present a particular challenge in data destruction processes as traditional methods including cryptographic erasure, degaussing, and overwriting are not 100% effective on SSDs and there is a risk that data remains.
The most effective alternative is physical data destruction. Hard disk shredding is the only method found to be 100% effective and is already a popular option among highly regulated industries including financial institutions and security agencies. Its popularity is only growing as understanding of the risks of incomplete data erasure spreads.
End of life remains essential
Despite the temptation to be dismissive of the disposal side of the IT lifecycle, it is more important than ever to ensure thorough precautions are in place.
All aspects of risk mitigation should be considered in data protection including physical factors such as storage, chain of custody and safe disposal.
The cost of failing to manage data has always been significant, especially when that failure results in a security breach, but in the upcoming GDPR era those are dangers which must be avoided.