Data security has risen to the top of the business agenda in recent weeks with the ‘WannaCry’ ransomware attack billed as the biggest ransomware attack in history. Consequently, businesses across the UK are revisiting existing data security policies to determine where improvement or investment is needed to bolster IT systems and protect their business critical data.
However, why should it take an attack of this scale to get business leaders to focus on data security? Why are organisations still responding to individual security events rather than proactively embracing end to end data lifecycle management? And why are so many relying on third parties to handle essential tasks such as end of life data disposal without rigorous chain of custody evidence? As the financial and reputational costs associated with breach continue to rise, organisations cannot afford to outsource responsibility for security.
Reactive response to a data breach
Why are organisations still reacting – with panic – every time a major security breach occurs? Existing legislation, including the Data Protection Act (DPA), should have already ensured that organisations had a handle on the risks associated with data storage and retention; while the much discussed General Data Protection Regulation (GDPR) which comes into force in May 2018 raises the stakes once again with very significant penalties for those organisations that fail to safeguard personal data.
For too long businesses have not prioritised data security highly enough - the clock is ticking until another major corporation is found wanting when it comes to protecting their business critical data. The implications are far more significant than many realise: according to a study by Deloitte the direct costs commonly associated with data breaches are far less significant than the “hidden” costs. Indeed, the cost of customer breach notifications, post-breach customer protection, regulatory fines, legal fees, cyber security improvements and crisis communications account for less than five per cent of the total business impact.
Instead, it is the indirect costs including increase in insurance premium, increased cost to raise debt, operational disruption or destruction, lost value of customer relationships, lost contract revenue, devaluation of trade name and loss of intellectual property (IP) that are far, far higher. Furthermore, the time horizon over which impact is felt is far more protracted than is often anticipated. In Deloitte’s scenarios, costs incurred during the initial triage stage of incident response account for less than 10 per cent of the rippling impacts extending over a five-year period. Surely this is enough to focus the attention of business leaders?
Securing data, not systems
Of course the issue is not simply a lack of focus; it is a lack of understanding. Cyber security is without question the poster boy for any threat to business critical data, and is therefore where the majority of any available budget is channelled. However, is the available budget being spent wisely? Despite widespread perception, regulations such as DPA and GDPR are not about cyber security – they are about data security.
Organisations need to understand their data resources. Different data types are subject to different levels of sensitivity and management requirements. Demands of data retention, update and deletion - already within DPA - are becoming ever more specific within GDPR. It is an understanding of the data lifecycle that should be defining the security strategy, not a knee-jerk response to the latest cyber attack.
Simply putting all data into storage and forgetting it is not an option. With the maximum penalty associated with GDPR hitting four per cent of global turnover or €20 million, organisations cannot afford an ‘out of sight, out of mind’ attitude to securing and managing the data lifecycle.
Proof of data destruction
One of the biggest areas of risk that is routinely overlooked is the way in which end of life equipment – and its associated data – is decommissioned. What happens to mobile phones, laptops and server equipment at end of life? Who is managing the safe destruction of the vast quantities of data held on this equipment? How confident is the business that data is being completely destroyed – as required by the regulations? And where, to be frank, is the proof?
While it is tempting to rely on a third party IT Asset Disposal (ITAD) company, it is essential to ensure the process is robust – and that means undertaking a rigorous chain of custody assessment and demanding proof of disposal. Organisations may have shrugged off incidents in the past where data has not been effectively destroyed, however the joint liability that comes into play under GDPR will place the onus firmly on any organisation to demonstrate an adequate process. Outsourcing responsibility without looking for chain of custody evidence is not going to cut it with the regulator in the event of a breach.
The contractual agreement must cover all areas of jurisdiction, including processes and standards; plus full proof of destruction – such as video evidence. However, while there are around 400 ITADs in the UK at the moment, it is believed that just 10 per cent of those will be able to provide the level of assurance and proof that will be required under GDPR, creating a massive potential gap in the end-phase of managing data lifecycle.
Achieve end to end control
The alternative is to take control in-house; to use physical data destruction technology that provides that essential evidence. Opting to retain a data asset destruction shredder on site ensures redundant or failed drives can be immediately destroyed, providing complete data control.
The process is simple and provides the essential audit trail. As soon as a drive fails or is taken out of service, the serial number, rack number/location, drive make/model and the date/time of failure are input into the system and the drive then shredded. A photograph of the hard drive and a video of each shred can also be added to provide full confirmation of the data destruction to any internal or external auditor.
Combining this in-house approach with strong policies for data management that reflect classification, sensitivity and associated retention/disposal requirements, can deliver that essential chain of custody.
Events such as WannaCry may keep cyber security in the headlines but too many organisations have still to grasp the ‘data management’ requirement. Investment should not be targeted towards infrastructure security without considering the data lifecycle. Without understanding both data and systems together, it is impossible to effectively allocate investment to reduce risk and address regulatory data protection demands.
Critically, organisations need to take ownership and control of the data lifecycle – reliance on third parties without robust evidence of good practice will not achieve compliance to regulations such as GDPR. Good practice demands a shift not only from reactive investments in response to high profile events but a clear strategy that safeguards data assets throughout the entire lifecycle.
Laura Cooper, Client Services Director, DataRaze
Image Credit: Wright Studio / Shutterstock