Data Security is no joke

Who is really responsible for your data? I mean its security I suppose.

It is a good question, maybe even a great one. I have always been amazed at how casual businesses are about their databases, because for all the talk and the squillions spent on CRM systems and software they are still mostly pants, but someone really does need to be in charge.

These days I get involved in data security at the asset disposal end of things and I am amazed at how casual some people are about their old kit. Just the other day I found a new tenant who had ‘inherited’ an old server, four laptops, a huge, heavy power unit of some description and the usual clutter of wires and keyboards from the previous occupiers. No one knows what is on it. No one seems to care. But there is enough memory there to hold the meaning of life, which is of course 43 according to Monty Python, or was it 41?

USB thingy’s are cheap and readily available (Note use of technical term. If you are expecting to be blinded by science, you are reading the wrong blog!). Your complete customer database is now in the possession of young Ryan in sales, who is about to get a bit sozzled and leave his jacket in The Three Horseshoes.

There must be processes for this sort of stuff. We all laugh at Health & Safety until we fall off the ladder and break our necks and data security is much the same. I was talking with my MD Jane Taylor just this afternoon and she suggested that people did not understand the risks. I am not sure I agree. I think they know what could happen, they just don’t think it will. Not to them. Who cares about the customer database of V. Cheap Building Supplies (Ambridge) Ltd? No one is going to rifle through the hard disk on that PC Mr Cheap donated to Save A Squirrel, are they?

But what if they do?

A data breach is a data breach. The laws apply equally to the very small and the very big. Everyone really has to take this seriously, even if the risks do seem small. I have car insurance. I haven’t had any sort of accident involving a claim in almost fourteen years. I calculate that to be about £7000 worth of ‘wasted’ insurance. Following a process to protect our data is like car insurance. I hope you never need it but if you do, you will be glad it is there.

What is really important here?

Being seen to be environmentally friendly is a corporate must these days. Every website is full of the various initiatives most companies support and if they can spin it into good news, the trade mags and local papers happily print the stories. On the other side of the coin, causing any pollution or mess has become a PR disaster...just ask the guys at BP.

However, deep down in the corporate mindset, this is mostly a sham of course. Profit for sanity recycle for the cameras is the reality. If it costs, most companies will look for some wriggle room and try to minimise the pain.

And so they should. Any business manager who does not try to reduce costs is not doing his job properly for his shareholders. Businesses really should make profit. That is what creates job and contributes to the well-being of us all. Money makes the world go round, as they say.

Sitting here in the ‘where there is muck there is brass’ sector, the wriggle room is provided by less than satisfactory services. Offering free collections gives the lazy manager a chance to salve his or her conscience about ‘doing the right thing’ whilst not spending so much as a penny.

The fact is that the majority of people in this country pay lip service to the environment. In fact most of us do, some of the time. Me included. Recycling will take time to become ingrained in us, and our kids will no doubt put us to shame in that regard. But in the case of electrical equipment, I am not sure many people understand the consequences of our actions.

Keeping scrap out of landfill is a no brainer. Any sane individual has to be able to see that burying our waste is stupid, especially if it includes harmful substances. So why would those self same individuals condone sending our WEEE to Africa, to let bare-foot children throw it all in acid baths and bury our problems somewhere else?

And yes, anyone not choosing a reputable IT recycling partner is condoning that by default.

Quite apart from the laws being ignored and the corners cut, you are abusing a third world country for a very small corporate gain.

So my plea to each and every one of you is make a difference. I know you have to keep a lid on costs but check out your recycling partners. Protect your data and then focus on the environment. Where is that kit going to end up?

That is far more important than a few quid.

Avoid the ‘I told you so’ lecture at all costs

You would never dream of putting your hard copy bank statement in the bin, would you? Not without at least tearing it up into little pieces. Maybe you bought one of those home-shredders? It is the same at work. If you print out something confidential, you are careful with it. You would not leave it out on your desk whilst you nipped to the loo, and you would shred it if you threw it away. It is second nature. You know something contains sensitive information and you are sensibly careful with it.

Which makes some people’s attitude towards IT data security unfathomable. The same person who bought one of those home-shredders to destroy their private correspondence, left their old PC at the local tip, in the dry WEEE store, without any real idea what would be done with it, and ignoring the fact that all that correspondence and more is still on the hard drive. Every word, every account number, every little detail of your life.

Mr Spock would call it illogical. We do not seem to connect the hardware to the printout. No one would bother to turn that old PC on and dig around for old personal files, would they? Well yes they would actually. Because data, information of almost any sort, is valuable. Cyber crime is on the rise and no one really knows what will happen next, because it is quite new. We have only really been using computers for twenty five years or so, and the internet is even younger. 

The basic bottom line is if it is valuable, someone will try to nick it.

So our apathy is getting more and more dangerous. We have to wise up here. However you do it and whoever you use, you need to sanitise your data before you dispose of any piece of kit. Be it a phone or a laptop, a tablet or a printer, think about the memory. It may only be a small percentage of people that get caught out this way but why would you want to be one of them?

When you get rid of anything with a memory you are taking a risk, a gamble. Every single time. As soon as you let that old PC out of your sight, you have given your data to someone else. Serious if you are a consumer, bloody scary if you are a business. Because as a consumer, you are only risking your own data, your own identity, your own bank balance. But as a business, you risk other people’s data, and as such you have a duty of care. You can be heavily fined and soon imprisoned if you do not fulfil that duty of care.

Lightning rarely strikes but when it does, it tends to hurt. I’ll give you another little example from my own life. In my private life, a pair of jeans is second skin to me. And for forty odd years I always put my wallet in my back pocket. Never gave it a second thought. My then wife used to nag me about it when we went out. She said it was easy to steal, in plain sight, but I doubted anyone could take my wallet out of my pocket without me noticing. And it had never happened...until one day at Crawley cinema. It was heaving and I was focussing on my son, then little more than a toddler, who was doing his best to get lost in the crowds. I caught him and took him back to his Mum, who was queuing for a drink. I went to pay...and no wallet.

An expensive lesson which got me the ‘I told you so’ lecture. Which no man ever wants to hear. So now I am a little more careful. In busy places, I move my wallet to a less obvious place. I manage the risk. Which is, as I may have said before, what data safe IT recycling is really about.

We do have to change our collective attitude to data security. There is no alternative. Cyber crime is not going to go away. You know I am right. Every person I sit down and talk this through with in any detail ends up agreeing with me. You cannot trust dumb luck to protect you, and you cannot do half a job and expect to stay safe. Sooner or later your luck always runs out. Do it, and if you are going to do it, do it properly.

Otherwise I am going to be right here saying I told you so!

The Proof is in the Filing Cabinet

Every job has its little nuances that no one else is aware of. Little tricks of the trade, or the thing that no one outside of the specialism has ever thought of. For most of us, those are the little stories we love to tell at parties, to impress complete strangers, just before their eyes glaze over and they make an excuse to escape to the loo.

Most jobs are boring of course. Most of the time. There are always bits that we enjoy more than others and sometimes bits that we actively like, but the reality is that most of our lives are mundane and not worth repeating to anyone. Unfortunately, as the devil is always in the detail, it is these extremely boring things which can often get us in the most trouble.

The paperwork trail is a prime example. I shall exaggerate a little here, but the of two million forms I have filled out in my long life only about ten percent were ever read, let alone put to any good use. I am sure I have wasted about a year of my time filling out things no one else will ever refer to again just to fill a filing cabinet that is probably still in storage somewhere, waiting for the statute of limitations to pass by.

The IT recycling sector can drown you in paperwork. There are certificates and processes and lists and forms that you can read until your eyes bleed, and do you know what? The vast majority just get filed away and never see the light of day again.

Why, I hear you ask? Because data security during asset disposal is all about risk management, and the paperwork is your defence, milord. The stuff eReco provides for you during the process, the waste transfer note, the asset list and finally the certificate of data destruction, are only worth their weight in gold when something goes a bit wrong. It is then, when Genghis Khan (our friendly neighbourhood Information Commissioner) is just preparing to torture your first born, that you whip them out and prove that you did everything right.

Which is why any sane individual disposing of a data-bearing device would worry about the paperwork and the little details contained therein. I know I have managed to write over 100 blogs thus far on this stuff, and I know there are a lot of details, but to simplify it down to the bare bones what you need to do is cover your backside, if you are worried about getting a sharp kick at some stage.

Some people do not worry. Many of those do not appreciate the risks...the £500k fine, the prison sentence...because either they don’t understand the risks or they take the view that they are not going to get caught. Now I understand that. It is a bit like speeding in that regard, the vast majority of times you will get away with it. I don’t speed as much as I used to, because actually the risks of getting caught have increased, what with more speed cameras being about, and because I am more risk adverse these days.

Risk management, therefore, at least in this case, is about the paperwork. That the paperwork is the proof of the excellent ethical and data safe job we do is almost by the by. And yet again the quality of the paperwork is paramount.

For instance, you have a certificate of data destruction for a list of assets, identified by serial number don’t you? I do hope you do, because otherwise you are not even on the first rung of the risk management ladder.  Our certs state the software used (Infosec 5 of course) and will satisfy Genghis Khan that you have done all you could. The hordes will return to barracks without your blood on their hands.

But what if the certificates you have do not say how the data was erased? Or they say a lower level of software was used? Or one hard drive off your asset list does not appear, because it went missing somewhere? Genghis will be sharpening the gutting knives...

My party piece revolves around legal documents spewing out of old printers we mend or what we can recover from a hard drive after low-level erasure. I thus have few friends and rarely get invited to parties! Doing things properly costs a bit more. It is actually a bit boring as well. Sometimes we all stop and read the health and safety legislation for some light relief. But what we are doing matters.

The stuff in the file is important, so is what we do to create that paperwork but you never get to see or file that for posterity. We are battling for a sustainable world where our personal data remains private. We are eco data warriors!

Put it like that and we are not so dull after all...

How much?

How do we solve the problem of WEEE? Because it is a problem, isn’t it? In our throwaway society we upgrade to the latest gadget as soon as we possibly can, but we are not quite so good at getting rid of the old stuff. A few weeks ago I expounded on a theory of mine that there are hundreds of thousands of tons of supplanted electrical equipment hidden away in cupboards and drawers all over this country, in homes as well as businesses.

Let’s quickly recap the theory. In my flat I have several old phone handsets, an old Virgin television box, a CD/radio, several old alarm clocks, a video player and a broken electric razor. Plus assorted cables for things I no longer own, let alone use. Say 20 kilos? Now the annual target for WEEE collection in the whole of the UK is 490k tons and there are 25 million homes in the UK. If every one of those homes matched my little haul that is 550k tons, over one year’s total collections. And we have not even gone into business WEEE yet. I reckon there would be an equal amount.

According to WRAP about 600k tons of electrical equipment are produced or enter the UK every year, so we are recycling slightly less than we make.

Yes folks, the pile of crap in your cupboard is getting bigger, not smaller! And I would like to thank Thomas Crapper for that word. I have used it a lot in my life. But isn’t that a little scary? I reckon we have about one million tons of WEEE hidden away.

Even if you disagree with my maths and halve that number, it is HUGE. Using some figures WRAP came up with, I just worked out that one million tons of WEEE is worth about £150m. And quite a lot of it is still in good working order. It is just redundant where it is now.

eReco ran an amnesty over Christmas, promising to take our local residents WEEE, render it all data safe if necessary and recycle properly. It was a great success on a local scale. We are planning some more events, and would love to arrange one with you, wherever you are in the UK. Just get in touch if you are interested. But today, I want to pick at this problem.

Why won’t we dispose of it? A quick trip down the local amenity tip and it is gone. I can understand why people might hesitate to get rid of a laptop or a phone, because of the personal data issues, but a video player? A CD/radio?

They work. That’s why. That’s my excuse. I need the video player in case I have an urgent need to play a video at some stage. I do still have some video’s too somewhere. The Virgin box works too. I know they don’t want it back, because my dear old Dad checked, since he is in the same boat.

I am not a hoarder. Not usually. But just because it has a plug or takes a battery I seem to treat WEEE differently to all my other junk. I really don’t know why. But the facts are pretty simple. If we could recycle that one million tons of hidden WEEE we could do a lot of good in this world.

And oh yes, companies like eReco would make some money. Because that is part of the problem too I realise. Despite the fact that I could try and sell my old video player if I wanted to, and discover that...surprise surprise...it isn’t worth anything at all, I am reluctant to give it to anyone else with the skills and the time to recycle it and turn it into some money.

Illogical. Waste has been a business for some time and yes, people profit from it. The problem is that we don’t think of this stuff as waste. Even if it is broken. I had a customer that decided to sell his two old printers on eBay rather than pay £50 to have them collected. He had to set up an account, take photographs and spend time putting it all online. Let’s be generous and say it took him an hour. They did not sell. He tried a free service but he did not have enough for them to collect for free. They quoted him £75. He hummed and hah-ed for another two months before he gave in.

The fact is that until we need the space it is easier not to face our demons. But we really should grow up and do the right thing. One million tons...I can’t get that figure out of my head.