Secure data disposal, once it reaches its end of life or end of use is a key part of the modern digital business’ information security strategy. Poor data security and management, including data processing, destruction and disposal can result in serious consequences, especially under the incoming General Data Protection Regulation (GDPR).
With GDPR inching ever closer – bringing with it fines of up to €20 million – secure data disposal and destruction of assets is growing in importance.
But secure data disposal and destruction, while fundamentally essential, is an increasingly difficult challenge for many industries that handle incredibly sensitive information and, in some instances, poses a real danger should it fall into the wrong hands.
Industries such as defence, aerospace, government security, finance and healthcare are amongst those at most risk. The highly sensitive data they handle on a routine basis could easily be exploited by hackers or wrongdoers and incur terrible consequences.
Recent cyber attacks, such as WannaCry and Petya, have put the spotlight onto the security and management of data – pushing data security to the top of the business and national news agendas. A recent article from The Telegraph highlighted that the UK is ‘prepared to use air strikes or send in troops as retaliation against future cyber attacks’ and that they would be met with a response from any domain; land, sea, cyberspace or air. A worrying outlook.
Subsequently, questions surrounding the cyber security infrastructure of every business and government across the globe have been raised, with millions of pounds, euros, dollars, yen etc. being pumped into strengthening cyber defences. But what investment is being made into the protection of physical data assets either on-site or remotely? Where are the weak points and how far can you go when it comes to secure data disposal?
What are the options?
The modern business needs a real-time, robust solution to secure data disposal. The question is, what is the most secure, reliable and regulatory compliant method available for businesses that operate in these data sensitive industries?
Large businesses may use more than one method to ensure complete data erasure, destruction and disposal, providing a comprehensive solution and auditing trail should regulatory bodies need to examine its process. They’ve been in the game for a long time and are completely aware of the ramifications that poor asset disposal could lead to. They’ve maintained consistent practices over the years and built a process that works.
Small and medium-sized businesses (SMBs) however, may not have the same resources or experience of dealing with secure data disposal, and may not have considered the risks that stockpiling old data assets can pose. To provide some guidance for SMBs, we have compiled a list of tips they can apply to ensure they adopt a secure and compliant approach to data asset destruction.
- Bring control in-house – Having the destruction of data assets under internal control removes the opportunity for third party interference and allows the business to impose its own strict processes for secure data destruction.
- Appoint a Data Protection Officer – Under GDPR, the principal purpose of the Data Protection Officer (DPO) is to “inform and advise a business about its obligations to comply with GDPR and other data protection laws”, monitor compliance with GDPR and other data protection laws, and be the first point of contact for supervisory authorities and for individuals whose data is processed.
- Provide an audit trail of destruction – Currently, the method for destroying data assets only records the serial number of the device before the asset is destroyed via a shredding machine. But this audit trail can be significantly expanded to provide undeniable proof that the asset was indeed destroyed. For example, to destroy a data asset that holds sensitive data, the data controller could provide fingerprint authorisation of the destruction, have a picture taken, and even film the actual destruction of that data asset (https://dataraze.com/get-started/)
- Have a chain of custody – This will be crucial for businesses should they ever receive a visit from the Information Commissioner’s Office (ICO). Having a system in place that enables a business to know that a defective data asset has been removed, when this occurred and who was responsible, must form part of the internal security process. A ‘cradle to grave’ process can be achieved if businesses use the technology available in the marketplace.
- Know your industry specifications – The standard for secure data asset destruction is a particle size of 15-30mm. But the actual size of shredded material can be driven by your business. Sensitive data assets that fall into impact level categories known as IL4, IL5 or IL6 (Confidential, Secret and Top Secret) can be shredded down to a particle size of 6mm. Making it impossible to use that asset again.
How far can a SMBs go when it comes to destroying data assets? The simple answer is: never far enough. But by taking some simple steps to ramp up the security surrounding data asset disposal and destruction, as opposed to just focusing on cyber security, SMBs can begin to rest a little easier when GDPR comes into force.