Preventing Your Hard Discs and Back-Up
Tapes Becoming a Data Disposal Liability
We don’t expect to be kidnapped or die in a shredding machine. In the same way, as companies or individuals, we also don’t expect to see our old hard disk up for sale on eBay or at a second hand computer fair, when it still contains confidential information about us, our company or its customers. However, a recent international study has shown that this is more likely to happen to our HDDs than one would think.
Confidential Data Destruction
BT teamed up with the University of Glamorgan to conduct some research into the destruction of data.
300 hard drives were bought at computer fairs or via web stores and disposal auctions in the UK, Germany, France, United States and Australia. The confidential data on them was then examined. Between 35-40% of the hard disks held commercially sensitive data and should have been shredded. These included HDDs holding NHS patient records and intellectual property. One hard drive disposed of by a US source contained launch codes from a missile system!
Many companies outsource the disposal of hard disks and their destruction. Some of the hard disks which were part of the survey and handled by an external supplier were found to contain data from the Lanarkshire NHS. The disks were not properly erased or shredded by the external supplier. After learning of the data disposal survey results, the hospital concerned now does its secure destruction in house.
This story clearly reveals a vulnerability in the destruction procedures of the external supplier. However, it also points to clear failings in the data disposal strategy of the hospital.
In the first instance, the obvious move is to choose an accredited supplier with proper HDD shredding capability. The CCT Mark secure disposal scheme run by CESG, part of Cheltenham GCHQ, is the most obvious example of this.
The second action point is to make sure that the internal person ordering the data destruction services is sufficiently responsible or senior and has a basic understanding of the risks involved in HDD disposal. At Data Eliminate, we find so many cases where a very junior member of staff is charged with the job of disposing of old hard discs and media. In these cases, the appointed person’s number one priority is too often to dispose of the disks and get them off his or her desk.
Shred Hard Disks
The crucial thing to remember here is that it’s people who represent the biggest security threat through dishonesty, lack of education or sloppiness– not computers or hard discs.. So the most obvious risks come into play when you destroy the hard drives off-site as opposed to shredding on-site. With on-site destruction, as the customer you can witness the shredding or destruction process and be sure it is completed to your satisfaction.
With off-site destruction, you are at the mercy of the chain of custody between the collection from your premises and the final place of destruction. Does your data destruction supplier vet their staff and offer other security measures to reduce the chance of the pilfering of a disk or data tape? A simple security measure, in the case of off- site destruction, might be for the service provider to call and confirm that the quantity of items that are about to be processed at the destruction facility, is the same as the quantity handed to their driver. In many cases, sealed security containers may also be used for this purpose.
Data Disposal Policy
A simple way in which you can begin to protect yourself is by having a data classification system in place. This involves labeling documents, files, IT equipment and other items according the value of the data held on them. HMG Government uses a protective marking scheme which provides a good example. There are six ‘impact levels’ within the government protective marking system. Level 1 is ‘HMG Unclassified’, Level 2 is ‘HMG Protect’, Level 3 is ‘HMG Restricted’, Level 4 is ‘HMG Confidential’, Level 5 is ‘HMG Secret’ and Level 6 is ‘HMG Top Secret’. Different policies exist for the daily treatment and final destruction of data from paper to hard drives and data tapes according to its level of security classification or the ‘impact’ a leak of the information might have. Obviously, Level 6 information might comprise NATO’s battle plans and will receive more protection than medical records (as in the case above) which might be Level 2 ‘Protect’.
These are three of the most straightforward steps organisations can take to protect themselves from an incident of data loss relating to used hard disks and computer media.
For further information on our data destruction service, please call 0845-1234-400 or complete our enquiry form. For brief details see our postcard flyer on Government Certified Secure Hard Drive Destruction.