Mark Harper of HSM, discusses how the media focus on cyber-attacks and digital data breaches means we are in danger of neglecting our physical information security. Harper highlights the potential risks to paper-based security and how to negate them.
In today’s data-driven environments, data compliance and security should be at the heart of any business.
With the GDPR driving changes back in May 2018, it seemed as though emphasis rightly focused on confidential data as a whole, no matter its source. However, in the past 12 months we’ve seen larger organisations (such as Google and Facebook) placed under the microscope with the threat of large fines as a result of digital data misconduct. With this in mind, we’re now in danger of our focus slipping when it comes to paper documentation and its safe disposal. So, has the pendulum swung too far?
Neglect at your own risk
July has again been riddled with media coverage showcasing digital data breaches as the Information Commissioner’s Office (ICO) threatens to fine top brands almost £300m. British Airways is subject to the largest yet under the new rules, after the ICO are set to fine £183m after the personal data of 500,000 BA customers was stolen from their website and app.
In 2016, the ICO revealed that some 40% of data security incidents related to loss or theft of paper – and this figure rose again the following year. It’s fair to say that, in terms of media emphasis, these figures unfortunately aren’t represented. Yet, UK businesses simply can’t afford to neglect paper-based documentation. Stringent consideration into how and where physical documents are disposed of is essential as there are a number of risks associated with their collection, transportation and destruction.
So, with this in mind, how can we mitigate physical data breaches?
Protection at the source
The Centre for the Protection of National Infrastructure (CPNI) highlights the potential threats to the physical data destruction process, including:
While these threats have the potential to occur at any point, there is evidently less control when paper leaves a building.
There have been numerous incidents when highly confidential documents have been left behind. This year in particular has been subject to some potentially serious blunders. In early July, top secret documents containing detailed security arrangements relating to the Porton Down military research facility were discovered in a London bin. Earlier this year, boxes of intimate patient records and financial data were discovered by the BBC in an abandoned nursing home. Negligence towards physical document destruction could cost UK businesses thousands, if not millions.
Organisations are right to invest in encryption, antivirus programmes and other security measures so that digital data remains as secure as possible, but it should not be done at the expense of implementing sensible and proportionate security measures for paper documentation.
External data destruction solutions, such as off-site shredding, are often employed for convenience, but rarely is the true security of these services understood or investigated. Yet, control is lost as soon as documents leave a building to be destroyed. Off-site shredding may seem convenient, but it opens up a higher possibility of potential risks to documents as soon as they leave the premises, including theft, loss and espionage. Not to mention that these solutions are typically more expensive over time.
Document security is best left in-house. Best practice, when disposing of paper, is to destroy documents at the source, rendering them secure at the time of shredding. It’s about maintaining control of what can be a sensitive process. Not only does in-house shredding neutralise the risks associated with off-site transportation, there is also more control to ensure that destruction is carried out to an appropriately secure size. And, yes, particle size is important: a P-1 high volume shredder (typically found in off-site shredding trucks) will produce strips at least ten times larger than a standard P-4 cross-cut office shredder for example. So, why leave paper document security to chance?