Security Strategy: Disposing of Data Securely

Security Strategy: Disposing of Data Securely

Cyber-attacks have been at the forefront the UK’s business community’s consciousness in recent years. While cyber security is of critical importance, there is a real risk that by overly focusing on the cyber realm, UK businesses may be neglecting the threat from corporate espionage and fraud focused attacks that take advantage of physical vulnerabilities. It is crucial that organisations implement comprehensive security processes across the physical/cyber boundary in order to prevent malicious attacks. Here the British Security Industry Association (BSIA) highlights the importance of procuring the services of a quality information destruction company when ensuring the secure and timely disposal of sensitive data.

It is absolutely essential that organisations across all sectors take extra care when destroying documents or materials containing any sort of personal or financial information. Improper destruction of physical business documents can lead to Data Protection Act breaches, which can result in hefty fines from the Information Commissioner’s Office (ICO) and longstanding reputational damage.

Under the Data Protection Act 1998, everyone responsible for using data has to follow the data protection principles. These include ensuring that data is used fairly and lawfully, for limited, specifically stated purposes; used in a way that is adequate, relevant and not excessive; accurate; kept for no longer than is absolutely necessary; handled according to people’s data protection rights; kept safe and secure; and is not transferred outside the European Economic Area without adequate protection. Failing to abide by these principles can put a person’s information at risk which can lead to identity theft and fraudulent activity. As such, it is essential that the necessary steps are taken to ensure the secure destruction of data.

Information destruction covers a wide range of materials, not just paper, but also computer hard drives, laptops, hard disks, CDs, DVD’s, USBs, credit cards, SIM cards and even branded products like uniforms. All of these materials can have dire consequences if in the wrong hands and must be shredded and destroyed safely. A quality information destruction supplier will ensure that materials are destroyed to such an extent that they cannot be reconstructed.

Talking on the importance of choosing a trusted information destruction supplier, Don Robins, Chairman of the BSIA’s Information Destruction Section, explains: “Information destruction is vital to preventing identity fraud. When specifically looking at electronic media waste, it is important that if you do not have the expertise, don’t take a risk, and outsource the destruction to a professional service provider. Information disposal is already of great concern, not just for every business but to all of us as individuals. When selecting an information destruction company, steps should be taken to ensure they will protect your digital data until it has been safely destroyed. Often these steps are common sense, but surprisingly the major consideration is the initial financial cost rather than the positive assurance gained from using an accredited destruction company.

“Make sure your choice of company uses security cleared personnel, that they have clear and secure procedures from collection through to destruction, that you have selected the appropriate destruction particle size for the material being destroyed and that they provide a destruction certificate.

“You should also check for references. Make sure you know who the actual information destruction service provider company is, check that they are members of a professional association, such as the BSIA, and draw up a contract with explicit requirements. Possibly, the first step is to make sure you have a person within your organisation that will be responsible for the destruction of media assets and the data contained on them” says Don.

Discussing the impact of an electronic era on the industry, Don comments: “As more and more information is crammed onto increasingly smaller devices and, not to be forgotten, paper is printed using smaller font sizes, it is obvious that smaller particle output sizes are going to be required. The Centre for Protection of National Infrastructure (CPNI) has recognised that there is an increasing issue in the security of the destruction processes and destruction output and will be publishing a new standard, PAS 7010, later this year.”

“Data on electronic media is also increasing” he adds. “Over the next decade paper documents will decrease. There is now an opportunity for those information destruction service providers that are prepared to invest and diversify, to engage in this value added service. The future will see more service providers offering e-waste destruction services and destruction output particles getting smaller. Regulations will have an effect on client requirements, but only if data breach fines become wider spread than currently is the case. Irrespective of this, the client can see the need for higher standards, which will be the driver for increased professionalism in the information destruction industry.”

Looking to the future of the information destruction sector, Don concludes: “Today, data is essential to all of us, but in the wrong hands information can do a lot of harm. This vulnerability is not going away and cyber-crime is increasing. This fact secures the future for professional information destruction service providers. There may be increased use of electronic media, but people are still printing from the screen onto paper. In addition, the record management business is still maintaining pace. Whilst security standards may be enhanced and customer requirement may be better defined, these factors will add to assurance for those information destruction service providers that operate professionally and are accredited to associations such as the BSIA.”

A trustworthy information destruction company will comply with the essential European standard BS EN 15713:2009 for security shredding, as well as BS 7858 for staff vetting. It is crucial to keep these standards in mind when sourcing an information destruction supplier, as these standards ensure that the companies providing data destruction services are doing so in a secure manner which provides maximum security for your information. To help end-users navigate and understand EN 15713, the BSIA’s Information Destruction Section – who all comply with this standard and adhere to a multitude of rigorous criteria –  have produced a comprehensive, step-by-step guide, which can be downloaded for free here: https://www.bsia.co.uk/Portals/4/Publications/204-id-en15713-guide.pdf

 

Security Strategy: Disposing of Data Securely