During a time of profound information awareness and regulatory fines for data breaches, it is disconcerting that almost 30% of businesses have no plans in place to deal with security threats.
There is a common misunderstanding that threats are limited to cyber activity. However, a high proportion of data breaches still occur and are created, internally within organisations.
With GDPR coming into place in May 2018 businesses, large or small, must start to focus on the processes used to safely dispose of end of life equipment – and its associated vulnerable data.
>See also: What is the motivation behind data security?
A data breach can be detrimental to a business’s reputation but there are far too few businesses who can say with any confidence that every measure has been taken or is monitored to mitigate a data breach; that all sensitive data is held securely; or has been destroyed in a secure, audible and responsible manner. Data security still remains an assumption from others, with no real auditing process or accountability to confirm this.
The value of information
The cost of a data breach or compromise is set to rise significantly next year with the introduction of the EU General Data Protection Regulation (GDPR). Today the Information Commissioner’s Office (ICO) can issue a maximum penalty of £500,000 for a data breach – a figure that barely makes a scratch on the turnover of companies such as Yahoo or Talk Talk.
After May 2018 however, the maximum penalty from the ICO will rise to 4% of global turnover or €20 million for each breach investigated and proven. Coupled with brand and reputational damage, this is a more significant penalty and deterrent to all businesses – which should prompt organisations to review data security processes. Or will it?
>See also: Data protection: businesses are spoilt for choice
With the perception that every security risk is caused by a cyber threat, businesses are clearly focused on extensively investing in in this area over their physical data security. However, just consider the massive volume of redundant or obsolete IT equipment UK corporations generate in one year.
What processes are truly in place for the safe destruction of equipment and eradication of the sensitive data it may contain? For many organisations there is no such processes – and where they exist – they are indeed, flawed.
From consolidating and storing data laden devices in unsecured areas, to businesses discovering recycled IT equipment placed on eBay without any data destruction management or control, the history books are littered with numerous examples of businesses failing to take the physical destruction of data and IT equipment seriously – or have even risk assessed their internal processes to any suitable standard. Harsh words maybe, but sadly it’s a reality.
Legal obligation
The problem with recycling any IT equipment is that many companies are still wrestling with the challenge of how they securely dispose of the data held on this equipment. What is the correct process for managing end of life equipment? Who is in charge of ensuring data is destroyed? Is there an audit? Where is the central control?
Most organisations rely on a third-party service provider for IT asset disposal (ITAD). However, the choice and quality of such companies can vary greatly, alongside lack of scrutiny by contracting personnel. Currently fewer than 50 certified organisations in the UK are approved by the industry authority – ADISA.
>See also: How can you secure big data in the information age?
Furthermore, under GDPR data controllers (originators of data) and data processors (contractors to destroy the data) will be jointly responsible for the safe destruction of data and jointly liable for any fines should a data breach occur.
Effective contracts must now be in place between organisations and suppliers of such service provision under GDPR. If not, the data controller will be held to account by the ICO for not enforcing control or recognising the requirements of the regulation or for failing to select a credible, compliant contracted supplier.
100% data erasure
Another issue that many companies have failed to understand is the challenge associated with completely eradicating the data held on Solid State Drives (SSDs).
Traditional methods including erasing, overwriting, degaussing and cryptographic erase, are not 100% successful with SSDs, creating a further risk that data remains in place after storage or reuse or disposal.
>See also: A data security check a day can keep the hackers at bay
The only alternative solution to be 100% sure sensitive/personal data is protected from further use or a breach is physical data destruction via hard disk shredding.
Indeed, growing numbers of companies in highly regulated industries, especially financial institutions military or security agencies, are increasingly looking towards physical data destruction rather than data erasure to achieve 100% data security. Consequently, enforcing the growing understanding of the risks associated with incomplete data erasure.
Ensuring end of life is essential
In this era of exponential data creation, organisations need to create and follow stringent audit processes across the entire IT lifecycle, from purchase to build, security to refresh and repair through to end of life. It is essential to ensure end of life equipment is not only recycled but is also subject to rigorous processes for the destruction of sensitive data assets.
Risk mitigation may be on the board agenda, but failure to understand the extent and damage of data exposure due to a weak chain of custody (CoC) processes is endemic.
>See also: Can the cloud save the NHS from a data breach epidemic?
It won’t be long before a business is found guilty of having irresponsibly recycled its IT equipment, resulting not only in hefty penalties from the ICO but the business impact on its share price, customer loyalty and revenue will follow with damaging results.
The security risk associated with failing to manage data throughout its entire lifecycle is significant today but with the arrival of GDPR, the costs of failing to take control of data destruction are simply too high to risk.
Sourced by Laura Cooper, client services director at DataRaze