Preventing data loss – five top tips
As the incidence of identity theft has grown over the years, so too have sales of shredders. Once found only in security-conscious organisations like government departments and banks, they’ve become a common feature not just in offices, but in homes. Even supermarkets sell them these days – not quite alongside the Shreddies, but close.
People still put confidential paperwork in their bins, of course. Some remain ignorant of the threat; others do it by accident. The bottom line, though, is that it’s much less worthwhile for would-be thieves to root through bins than it used to be, and that’s a good thing.
The problem for all of us – businesses, government organisations and individuals - is that the identity thieves have simply moved their attention elsewhere. New technologies have created far richer sources of sensitive data for them to exploit.
At this point, your mind will probably have turned to the losses of discs and laptops that have continue to grab media headlines. In January 2008, for example, a laptop was stolen from a Royal Navy officer’s car. It contained the passport details, National Insurance numbers and other information for about 600,000 people who had joined the Armed Forces or expressed interest in joining. Around 3,500 people were placed at even greater risk of identity theft. The lost data included their bank account details.
This was just one of 747 Ministry of Defence laptops that were lost or stolen between 2004 and 2008, only 32 of which were recovered. It would be wrong, however, to single out the MoD in this regard. According to research carried out by the Ponemon Institute, 900 laptops go astray every week at Heathrow airport alone. Of those that get handed in at airport lost property offices worldwide, only 43 per cent are ever claimed.
Such problems are significant and clearly need to be addressed. But it would be foolish to focus just on laptops or on accidental loss and theft.
Every year, organisations dispose of huge quantities of computers, mobile phones and other electronic hardware. Some is sold on, some is donated to good causes and the remainder is recycled or simply – if not very responsibly – thrown in the bin.
The trouble is that, as the equipment we use gets more and more sophisticated, more and more data is being put at risk.
A recent survey by BT, the University of Glamorgan and Edith Cowan University in Australia highlighted the problem. Among the second hand mobile phones examined, 23 per cent were found to hold enough information for the previous owner and employer to be identified. One of the Blackberrys inspected had been used by the sales director at a major Japanese corporation. Researchers were able to recover the call history, the address book, the diary and messages sent to and from the device. Among the latter, they found the organisation’s business plan, details of its business with various customers and all sorts of personal information the user had stored, including bank account numbers and sort codes.
What’s troubling is that organisations often donate old mobile devices to charities, and that some of those charities do little more than send them on to countries like Nigeria for recycling – countries where identity theft is rife.
To be clear, neither these charities nor other recyclers are at fault. They are no more responsible for valuable data put in their hands than local authorities are for bank statements and other sensitive documents put in their bins. The problem has to be tackled at source – by the organisations and employees whose data is at stake.
Basic information security measures must clearly be applied as soon as devices are taken out of the box. Laptops, Blackberrys and memory sticks can – and should – all be password protected as a matter of course. The data they hold should be encrypted wherever this is possible.
Measures should also be put in place to limit the amount of data users can download to any portable device. Memory sticks that can now store 32 gigabytes of data or more are commonplace these days, but do you really want that much data to be put at risk?
Beyond this, take more care when computers and mobile devices reach the end of their life with your organisation. Do you have procedures in place not just to delete the files on them but to leave their memory completely clean? Will the recycling company you use do this for you? And if so, does it have security measures in place to protect your data until the work is done?
Above all, don’t just focus on computers and laptops. Mobile phones, PDAs, Blackberrys, memory sticks, MP3 players and a host of other devices present equally significant risks. Whether you are going to send them for recycling or donate them to charity, either make sure they are ‘clean’ first or choose an organisation that promises to do this for you before it passes your device on.
Preventing data loss – five top tips
1. Turn on password protection as soon as devices are taken out of the box.
2. Encrypt data wherever and whenever possible.
3. Limit the amount of data users can download to any portable device.
4. Take care when computers reach the end of their life. Choose recycling companies that promise to remove every trace of data or do this yourself. Simply deleting files is not enough – you need specialist software to do the job. Check to be sure the work is done.
5. Remember – mobile phones, PDAs, Blackberrys, memory sticks, MP3 players and a host of other devices can hold large quantities of confidential data. Wipe their memories before disposing of them or send them to an organisation that will do this for you.
|