Things in security have changed as a result of the pandemic, writes the information security awareness trainer and consultant Mike Gillespie, pictured, of Advent IM.
Other important business functions that sit close to security, like data protection, have also been put to the test. Actually, relationship has, for me, become even more underlined. Put simply, and once all of the data subjects rights and freedoms are assured (and that is a different matter altogether) then data protection is all about providing appropriate and legitimate access to accurate information at the point of need, whilst maintaining appropriate and proportionate security controls.
The assumption, understandably, has been of digital assets, collected, compiled, stored and updated in a non-physical space that has nothing to do with the physical security teams. Actually, this has never been entirely true but the uncharted business waters we find ourselves navigating have brought this unexamined relationship into sharp relief.
28 Days Later?
Anyone familiar with the film will recall how the main protagonist awoke to find a very different world from the one he left before his brief coma. People were few and far between and buildings lay empty and abandoned; often repurposed by survivors of a terrible plague. Whilst the current situation is clearly not that bad, following the stay at home order, our buildings were left largely deserted, very quickly and on a grand scale. Although the return to physical workspaces (I use the term to refer to all places including universities, schools, shopping centres etc) has been appropriate for some, it has not been for all and many buildings are lying empty and will for the foreseeable future.
Of course, now would be an ideal time to review the efficacy of physical security measures designed to protect them as their usage has changed so radically, not just to protect the assets themselves but to ensure they are ready for use just as fast as they were temporarily retired.
There’s more
But that’s not all. Returning to the assumption of all information assets being digital, there are many cases where this simply isn’t true and physical records, sometimes of a sensitive nature are still used or maintained. Many law firms still predominantly operate in a paper-based world as indeed to accountancies and several other professional service areas. Despite a recent to drive to digital by default plenty of public sector organisations still use paper-based systems for offline work such as community care, social services and even policing. And that is before we even look at the masses of paperwork that currently sits in archives up and down the country.
The question now is how are we looking after those records? The key to data protection practice (and it applies just as well to information assets that do not contain personal information but are sensitive or valuable, such as designs and other intellectual property) is CIA, Confidentiality, Integrity and Availability. Here we see the relationship between the physical and the data protection specialist come together. Physical information assets at this time still need to be maintained, their integrity is vital; mistakes can cost contracts, cause legal issues and a range of other knock on problems.
You need only to look at the case of Doorstep Dispensaree Ltd, which supplies medicines to customers and care homes. They left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware, west London. Some of the documents containing names, addresses, dates of birth, NHS numbers, medical information and prescriptions had not been appropriately protected against the elements and were therefore water damaged. The ICO levied a monetary penalty notice of £275,000 stating “the careless way Doorstep Dispensaree stored special category data, failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.”
Bringing it together
The last few years there has been a growth in the use of the term, ‘converged threat’, usually and broadly used to describe the way that our physical and cyber worlds have increasingly been coming together. However, that in itself has led to a primary focus on the protection of electronically joined up physical assets, and unfortunately the data protection facet of converged threat has been left out.
If we can see compromise of personal data by electronic attack, and if that can be facilitated by poor cyber security of physical systems such as air maintenance, fire and life safety and even security systems, then we can also see compromise of physical information assets in the same way. Given that principle six, ‘The Security Principle’ states that personal information must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures “, it is vital that we stop viewing Data Protection as being purely an IT issue, or seeing a data breach as something that just involves loss of data online.
The physical threat to personal information is and will remain very real, and the potential implications to organisation if there are failures to protect it from accidental (physical) damage or loss can be wide reaching.
Physical security must therefore be a fundamental factor in data protection planning and ongoing compliance checks if we are to fully protect our organisations, our information assets and the data subjects.
Data subjects are people, a lot of the issues around data protection in the physical are about people too. Do not let your organisation be the next organisation that “falls short of what the law expects” or, and in my view more importantly, “falls short of what people expect.”
About the author
Mike Gillespie is a member of Professional Security magazine’s editorial board; and has been a regular speaker at such industry events as ST.
