Counting the cost of complacency: five data protection misconceptions
With the world’s media regularly churning out news of the latest data breach, cyber hack or information security mishap, it’s perhaps surprising that half of UK businesses still don’t know they could be fined £500,000 for breaching the Data Protection Act (DPA).
And that’s not to mention the other costs following a breach, which can spiral into millions of pounds once you take into account the effects of bad publicity, damage to reputation, eroded customer confidence and lost business.
To help prepare you for the data security challenges that lie ahead in 2015, we’re sharing five common misconceptions about data protection and secure information destruction that we regularly come across when speaking to businesses - and busting some myths!
1. “Our company doesn’t have any confidential information”
The DPA covers protection of personal data, which includes data that can be used on its own or in conjunction with other data to identify a living person. Does your business employ living people? Do you pay them? In that case, you’re producing payroll data – names, addresses, NI numbers, all of which are covered by the DPA. And that’s just one example. Worryingly, a fifth (21%) of SME businesses believe they possess no data that could harm their business if stolen.
2. “My staff understand what documents are confidential and shred their own”
Only a third of SME businesses say they train their staff in information security procedures, yet two thirds expect their employees to shred confidential documents in-house using an office shredder. This begs the question, if you don’t train people what to shred, how do they know what should be treated as confidential and securely destroyed? Time and again, research into data breaches highlights human error as a primary root cause.
3. “Our staff wouldn’t throw confidential documents in a recycling bin”
Our experience says otherwise. Why not put it to the test and check your nearest recycling/waste bin right now. Find anything interesting? Regular auditing can help highlight areas of risk you may not have thought about or reviewed recently – you may find this brief data security questionnaire a good starting point.
4. “I’ve been working with my suppliers for years and trust that they wouldn’t leak our data”
Many companies vet new suppliers at the outset of a relationship, but how many carry out audits on an ongoing basis? With human error being a main contributing factor in many data breaches, if they don’t have the relevant policies, procedures or accreditations in place, your suppliers may not even know they’re doing something that puts you at risk. A bit of digging now could save a lot of pain in the long run. For example, if you’re using a third party shredding services supplier, have you inspected their shredding premises lately?
5. “Our confidential documents are destroyed by a shredding company so any breach is their problem”
Wrong! The ICO is quite clear on this – the producer of the data (the ‘Data Controller’) remains responsible for that data until its physical destruction, even if it is passed to a third party ‘Data Processor’. Also worth bearing in mind is that a Certificate of Destruction is a best practice rather than a legal document and does not absolve you of responsibility, so as well as getting the right documentation, you also need to ensure you properly audit your supplier’s processes.
Find out how an information security risk assessment can help uncover potential data security banana skins in your business in this brief video.
Join the debate on information security with Shred-it on Twitter @Shredit_UK.