Security
in many instances being an afterthought, or not mentioned at all.
Cutting corners may appear attractive at first glance but taking risks with information destruction stores up future problems, issues which are liable to come back to hit organisations when they least expect it. The 2009 study by BT and the University of Glamorgan where they bought up 300 second hand computer hard-drives and found that 34% still contained sensitive data - from patient details to a missile defence programme - starkly illustrates this point. A growing number of organisations are suffering at the hands of unscrupulous providers only finding out later, when data is exposed, that hard-drives they thought were wiped, or documents shredded, had not been processed professionally but simply sold-on, dumped with normal waste, or disposed of through fly-tipping. One worrying statistic that emerged from our recent ID Section survey is that a third of those who replied are still relying on standard municipal waste disposal to deal with even the most sensitive of their data, with all the dangers which this entails.
It was also disturbing to discover that whilst 50 per cent of those questioned claimed that their organisation used a professional service for information destruction, in reality only half of this number were able to confirm that their provider met the EN 15713. So the bottom-line is that only a quarter of organisations actually have a service in place which, in our experience, could be deemed to be appropriate. Given that our own members who all meet stringent best practice standards destroy in excess of 300,000 tonnes of confidential waste every year, the amount of waste that is not being handled correctly, and open to criminal exploitation, at a conservative estimate could run into hundreds of thousands of tonnes.
Detailing Data Breaches In terms of where data breaches are actually happening, we discovered in the ID Section research, for instance, that half of these involved paper and the rest where attributed to computer hard-drives. Sadly data breaches, by their very nature, are not going to be flagged up ahead of time so when they do occur, critically, there can be serious ramifications for the organisations involved, their employees and their customer base which can take months or even years to resolve. The financial impact and reputational damage are likely to be considerable. To put this into context, the average cost of a data breach reached £1.9 million in 2010, having risen for three successive years (according to an annual UK study sponsored by data protection firm PGP Corporation).
that can be imposed as a consequence of failing to comply with the Data Protection Act. The Information Commissioner's Office (ICO) now has the ability to issue penalty fines of up to £500,000 to those who do not meet their obligations. Surprisingly, of those questioned in the ID Section research, only 41 per cent knew about the toughening of the ICO's enforcement powers so there is still much work to do in communicating the message regarding the action that can be taken against those who are failing to comply.
Avoiding the Pitfalls There really is little sense in such a security-critical area of making a choice based on a single criteria like price, when choosing the wrong provider can have such far reaching ramifications. The question that needs to be asked, if your organisation is using a provider that has not instituted appropriate security measures to handle your sensitive waste, is what are you really achieving from having such a service in the first place? It is certainly not providing the peace of mind that information is being disposed of professionally or will convince the authorities that you and/or your data controller are acting in an appropriate manner.
Of course some will counter that they have been using an information destruction company that is not accredited
9 This is not withstanding, of course, the potential for fines
without any problems. The response to this would be that without the right framework in place it is likely the positive outcome to date will have been more the result of luck rather than design. Where confidential information is concerned the last thing you should be doing is gambling given how high the stakes are if things go wrong.
The customer facing end of a prospective supplier may seem convincing with smart uniforms, a slick website and vehicles, but if there is not the substance behind this shiny facade and, critically, they are not actually working to the EN 15713 standard, then there can really be no confidence that they are in a position to deliver a secure service.
Another major issue which organisations need to be aware of when they go down the route of using cut price, sub-standard, suppliers is the serious lack of staff vetting taking place to pick-up on criminal elements who may seek employment at such firms so they can gain access to data, and sell it on, before it is disposed off.
Securing Disposal The message therefore has to be to facilities managers, who
are increasingly playing a pivotal role in the decision making process on secure data disposal, to remember why such a service is needed in the first place. They should have uppermost in their minds the far-reaching implications if the process is handled in a less than professional manner, and, crucially, the importance that the information destruction provider selected complies with the EN 15713 standard.
log on to
www.bsia.co.uk/shredding. A video interview with Russell Harris on the findings of the ID Section's research can be found on the BSIA's YouTube Channel at:
http://youtu.be/7ieh03Vhp30
For more information about secure data destruction please
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32