Security is one of the most important issues confronting businesses, and with 32 per cent of UK organisations reporting a security breach or attack in the last 12 months, it is not hard to see why, writes Carmen Ene, CEO of the IT company 3 Step IT.
The UK is not unusual: in an international survey that 3 Step IT commissioned, 95 per cent of respondents said that security and GDPR compliance were very important, and 58pc ranked security the number one reason for businesses refreshing devices.
Clearly, security and compliance are issues at the front of people’s minds. However, although many care about it, 24 per cent of those organisations surveyed who claimed that security was a priority were still dumping their IT, rather than taking action to dispose of data and devices securely. This is inconsistent. It should worry these responsible too, especially as the cost of cyber-attacks continues to rise.
The global average cost of a data breach is around 150 euros per record lost. But records are rarely lost one at a time; they tend to be lost by the thousand, or hundred thousand. In the UK, each successful attack on a small business has an accounted cost of £25,700, with the cost in customer trust and lost business on top of that and likely to be higher still. It adds up to an eye-watering £27 billion loss to the UK economy last year alone. With annual global cost estimates in the low trillions, cybercrime may be the greatest threat facing every company.
Why is correct disposal of data vital for infrastructure protection? In addition to the results previously mentioned, 4.4 per cent of those surveyed cited throwing devices away as their only method of disposal. Of these, 95pc still said that they were confident that their data had been securely destroyed. Clearly, there is a contradiction here.
When considering their security policies and procedures, most organisations overlook how they deal with devices that are old, broken, or have reached the end of their life. Deciding to dispose of devices without securely erasing data poses a risk, to employees, their company’s overall business security, and sensitive data collected about customers. It poses a risk of data breach fines as well, up to 4pc of turnover.
There is clearly a misunderstanding about the difference between data deletion and data erasure. When files are deleted or dragged to the ‘recycle bin’, the data is still stored on the device. By contrast, data destruction involves overwriting all the data on a device, making sure that the original information is irretrievable.
Refreshing devices by changing them on a planned schedule can also help with cyber security. Refreshing devices every few years gives companies the chance to protect critical IT infrastructure, with constant software updates and the opportunity to exploit the latest information security technologies. Using up-to-date hardware often provides better protection against cyber threats. More sophisticated security features such as email encryption and advanced malware protection come as standard features on newer devices.
Consider, for example, the end of Windows 7 support in January next year. When this happens, users and organisations can keep using the operating system. However, Microsoft will no longer provide security updates or patches to fix vulnerabilities that hackers can exploit. This makes those who continue to use the operating system an easy target for any malicious actors. Perhaps the upcoming end of support will encourage those who have not yet made the leap, to migrate, and maybe even change their device at the same time.
With 55 per cent of the senior managers that 3 Step IT surveyed claiming that they are ‘very confident’ their data is securely erased, it’s obvious that people care about data security and how a security breach may affect them. However, it is also clear that caring is not the same as being effective: businesses still dump their IT with little consideration given to what happens next.
Secure erasure of data and replacing obsolescent hardware is a requirement in many information security best practice frameworks. It is an important aspect of ISO27001, an accreditation that companies often require before applying for government contracts and partnerships with large organisations.
As the GDPR regime tightens (with big fines already happening now) and potential partners – clients and suppliers – becoming more sensitive about best practice, businesses will become more aware of the consequences of not erasing data securely. Those that use this as a trigger to consider new IT lifecycle disciplines will be a step ahead, protecting sensitive data against cyber-attacks, and be compliant with regulations.
