Typical Issues Around End of Life Asset Disposal
This time of year is the period when many organisations dispose of their company’s old assets so that budgets can be spent before the end of their Financial Year.
There is always a desire to get new Information Systems up and running as quickly as possible so that the benefits of using them can be realised and a return on investment achieved. This means that the focus particularly of the IT department may be on the shiny new computer systems rather than on the old ones that are being ripped out to make way for them.
The fact that end of life IT systems can contain sensitive data which either belongs fully to the organisation or may be about their customers and users is often overlooked. The temptation is to dispose of the old equipment as quickly as possible in order to free up available space particularly in busy and city centre offices. Because of its nature, this task is frequently delegated down the organisation hierarchy to a level where the individual organising the disposal may not be aware of all the risks involved.
The temptation is to take a quick look online and find the company offering the cheapest price available to dispose of the old equipment. There is an inherent danger here. Even companies that offer bargain basement rates for disposal need to make their crust somehow – and so they do this by reselling as much of the kit as they can to second-hand users often with little or no regard for the data that may still be on the devices.
Even those who understand that a desktop computer or laptop will contain sensitive data on their hard drives often may overlook the data held on other devices such as photocopiers, fax machines and printers. Many multifunction devices contain a computer hard drive which retains a soft copy of all of the documents it has ever scanned, printed or faxed.
The data stored on IT equipment is usually the most sensitive held by an organisation. Its existence, location, storage and destruction should be managed as a controlled process with director level oversight.
The need for this is heightened by the General Data Protection Regulation being enacted in May 2018 which will dramatically increase fines for companies who suffer data leaks by failing to dispose of their old data bearing assets in an appropriate manner.
Secure disposal of end of life assets should be managed by a full audit trail of all the assets being disposed of. One should search for a company which is independently accredited – ideally by an HM Government body such as the Ministry of Defence. The chosen supplier should explain clearly exactly how data will be destroyed, for example by shredding, overwriting with software or degaussing (demagnetizing), and the ultimate outcome/destination your old assets in terms of recycling. The supplier should also carry professional indemnity cover of at least £1 million to underwrite his service offering. For more information see www.dataeliminate.com.
By Julian Fraser, Director, Data Eliminate Ltd
Podcast by: Data2Vault
Behaviours & Devices
For decades businesses have been using tape backup as a way of preventing their data being lost. From the smallest to the largest businesses, data backup is consistently budgeted as a “keeping the lights on” item.
Tape has been the media of choice for data backup since the 1960’s. During the 1980’s tape started to find its way into mainstream use, with the Walkman and VHS or Betamax video. Over the last 10 years consumers have rapidly adopted iPod’s and iPhones and Sky+ or TiVo, abandoning tape, but the IT industry had doggedly retained its reliance on tape as a backup, or more latterly a Disaster Recovery media
The digital world is changing fast, digital data volumes are growing by 42% per annum (according to IDC research), regulations to protect data are already in place, and with GDPR the regulations and penalties are being strengthened. Critical business data is being held across a mixture of Cloud services, on-premises systems and mobile devices, all this adds up to a data protection landscape that is becoming much more complex for businesses to address.
Most businesses are not aware that cloud application providers, like Microsoft with Office365, Salesforce and Google do not backup your data in their services. The protection of the data is the responsibility of the customer
Even as many organisations move to local disk based backup devices, backup tapes are still being used to move a daily or weekly copy of the latest data offsite, for Disaster Recovery purposes. These systems typically make use of image backup, snapshots of the whole application or virtual machine. Ideal for rapid restoration to get the business back up and running. But with GDPR organisations need to be looking at how all personal information is stored and managed. Image and snapshot backup does not easily allow the identification and deletion of individual files related to a person, now the right to be forgotten is incorporated into GDPR.
The continued use of tape media and the associated human intervention to handle, transport and store backup tapes create a huge vulnerability. Eliminating tape can significantly improve recovery rates and reduce recovery times.
Flexible Data Protection services that offer both image backup for rapid Disaster Recovery and granular recovery for individual files, emails or mailboxes, and long-term retention plus protection of data in Cloud applications will become the standard. When you add in Data loss Insurance cover from £1,000,000, all delivered within a certified security environment supporting GDPR compliance, Advanced Data Protection is available today.
The old way – tape, insecure in clear text, transported, stored and recovered manually and image based backup for long-term retention
The new way – Advanced Data Protection, integrated Disaster Recovery and granular file backup for long term data retention. Secure, automated with Data Insurance.
Mark Savile, Director, Data2Vault
Podcast by: DataEliminate
With the worse of the winter hopefully behind us, thoughts naturally start turning to the Spring; a time for throwing out the old to pave way for the new.
For businesses, many of the new challenges will unfortunately come as an addition to the old and not simply as a replacement. Amongst the new challenges will be the General Data Protection Regulation (GDPR). Remaining as an old challenges is the very prevalent cyber threat.
At first glance, GDPR and cyber threats appear very separate. They are however, linked. In fact, in a speech at the CBI Cyber Conference last year, the Information Commissioner described cyber security and data protection as being ‘inextricably linked’. So, if we can link challenges, maybe there is the opportunity for businesses to take a new approach to addressing them.
Debate as to who holds responsibility for IT security is not new. Is it purely the responsibility of the IT team or does it lie with the Company Directors? With each party putting forward numerous, yet reasoned arguments, the detail of the debate is subject for an altogether different Blog.
Yet, however good the assertions of both sides, the most practical solution is for both parties to share responsibility. After all, IT can’t implement appropriate defences without the support of the Board and the Board cannot make informed decisions without the expert input from IT. As the cliché goes, ‘a problem shared is a problem halved’!
Accountability is actually much wider than a simple bi-partisan relationship with responsibility for cyber security falling to all employees. The best security, jointly agreed by IT and the Board, becomes worthless if a simple click on a fraudulent link bypasses considered security measures.
A new culture which includes awareness training for all staff may prove a valuable benefit for any organisation. If training can work in partnership with a ‘no blame’ culture then all the better. Encouraging staff to report an erroneous click on a suspicious link enables investigation and positive action to be taken, hopefully before it is too late.
A proactive approach to cyber security may also form part of a new culture for many organisations. Unfortunately, too many businesses have placed cyber security on the too complicated, too expensive or, the it will never affect us pile, only to be addressed once an incident occurred. As those businesses will testify, that is the point at which it is too late and the very point at which it does become inconvenient, complicated and expensive.
Improved security doesn’t have to be complicated and can be built in to everyday good business practice. The Government backed Cyber Essentials guides businesses to address areas that can protect against 80% of online threats. With the addition of good information Governance, such as IASME Governance, which also includes a GDPR readiness assessment, even greater protection can be achieved.
So, whilst this Spring, we may face new business challenges, we can introduce a new culture for the benefit of the whole organisation. Cyber security has as important a role to play in business as any other function. With the right measures in place, a business can solicit new opportunities whilst simultaneously protecting what it has worked so hard to achieve. Get it wrong and the effect on a business can be devastating.
GDPR provides us with the perfect opportunity to ensure the protections we currently have in place are appropriate and facilitates the perfect excuse to make any necessary changes to business practice and business culture.
By: Chris Pinder, IASME
Company Number : 09639299
Mail to : firstname.lastname@example.org
Address : One Wood Street, London,
United Kingdom, EC2V 7WS.