The need to encrypt personal data for security and privacy has long been acknowleged, and yet still stories come up in which stored data is made available inappropriately because of the failure to follow basic security procedures.
One of the most recent cases involved a lost USB memory stick containing names, addresses, and medical records of both patients and staff associated with a secure hospital in Stenhousemuir. The memory stick was found by a twelve-year old boy in the car park of a near-by Asda store.
It’s clear why these things are near-ubiquitous: USB memory sticks are designed to be cheap, easy and convenient to use, and able to hold large amounts of data; they are ideal for transporting data from place to place. These very factors are what makes them dangerous in environments where sensitive data is handled, as their familiarity makes them seem benign and their portability (and losability!) serve to heighten their threat to data security.
The lessons are sadly familiar:
Control access to sensitive data using hardware and software: if you restrict access to sensitive data, you lessen the possibility of data leaks and data loss, and can streamline people’s working practices too.
Consider and adapt practices which require data to be moved ‘outside of the system’: large software systems often have complex security controls build in, and while these might not be perfect (indeed might not even be adequate), controls can only be of use when they can be applied. Once data is removed from the system, for whatever reason, new practices are needed to work with the existing in system controls – designing and implementing these practices can be non-trivial, but even recognising the need to supplement existing controls can be difficult.
Teach the people who must handle the data why controls are necessary: if everyone understands what the needs are and why they’re important then this can be a way to ensure that safeguards are both comprehensive and workable for those that must deal with them day-to-day.
The recent debate on data security and disposal was triggered in January 2009 when the editor of Which? Computing magazine encouraged PC owners to destroy the hard drives of their old home computers with a hammer to help protect against identity fraud. Following this ‘eye-opening’ article, the British Computer Society’s IT Now magazine conducted a study into data security and disposal guided by the premise that breaking hard drives with a hammer is not only wasteful and goes against EU Waste Electrical and Electronic Equipment (WEEE) Directive, but most importantly this method of data disposal is not sufficient to protect people from a harmful data theft. Hard drives are made up of sections called platters and each platter contains information, so even if a hard drive is hit with the hammer, there is still a huge chance of a small section of the platter remaining untouched and if that section gets into the hand of someone who knows what they are doing, the information held on it can be easily restored. Therefore, it is necessary to take extra care when disposing of devices that have memory storage areas that hold personal data in case they fall in the wrong hands.
The study of 350 private sector organisations carried out by IT Now magazine has found that most of those organisations generally replace their IT equipment every 3 years, but astonishingly only 1 in 10 (12%) of them were confident that they have destroyed data in their redundant IT equipment to a required standard. About 38% of the questioned companies admitted to only reformatting the drives and not taking any other measures to ensure that data on their hard drives was irrecoverable. Alarmingly, 50% of companies were unable to specify whether data on their redundant drives had been destroyed at all.
Since destroying hard drives with hammers or other DIY equipment are all unsuitable or secure alternatives, and neither is reformatting and overriding data; IT Now magazine suggests that the only secure way of erasing data from a PC or a laptop is by wiping the hard drive using specialist software, for example Blancco or KillDisk.
But different things work for different organisations, and although there is a lot of truth exposed in the BCS article, it also seems to be of largely advertising nature as its writer refers a lot to the practices of his own company. Still it’s a very interesting and educating article and I highly recommend to read it!