What does a data security threat look like? Is it a hacker huddled over a computer in a dark room? Is it a con artist assuming a false identity? Or could it be you?
Latest PHS Data Solutions research has identified that, rather than external factors, public sector organisations’ most pressing concern is internal, with 83% saying their own employees represent the biggest threat to data. This is compared with just 10% who say they are most worried about the threat posed by hackers.
Yet despite the risk of loss or misuse by employees, tight controls on information security have yet to be achieved in all public sector organisations. This is particularly true of records and data management, with over 40% storing confidential documents on site and 21% relying on staff to dispose of documents using general waste, recycling bins and office-based shredding machines.
The Department for Business, Innovation and Skills (BIS)-commissioned Information Security Breaches Survey 2014 report by PwC confirms the fact that, as with other businesses, public sector organisations are right to be concerned. It found that nearly a third (31%) of the worst security breaches this year were caused by human error, with a further 20% due to deliberate misuse of systems by staff.
There have also been several recent high-profile information security violations in the public sector involving personal data being passed on to third parties electronically following Freedom of Information requests.
Likewise, the threat posed by accidental loss or deliberate misuse of physical documents and IT equipment also remains. Earlier this year, one council breached the Data Protection Act by losing sensitive social security records. In 2011, a computer and some papers containing the personal information of 7,200 people was discovered in a skip, having been left in a vacated council building and disposed of by the new tenant.
According to the Information Commissioner’s Office, common areas for improvement needed in the public sector involve asset management around printers, faxing, laptops and removable media devices, the movement of manual records and the transfer of electronic records along with the disposal of personal data held in manual and electronic form.
The Code of Practice for Archivists and Records Managers under Section 51(4) of the Data Protection Act 1998 confirms the fact that many breaches are accidental and result from insider action or inaction.
The Act also states that electronic data should also be disposed of securely and in such a way that it cannot be reconstructed. This extends to the need to securely dispose of electronic data contained in redundant IT equipment, a hidden requirement that can be overlooked. Hard drives, servers and electronic media all contain vast amounts of data and it’s a common misconception that hitting delete on unwanted files will permanently remove them.
To prevent this data being retrieved and used for fraudulent purposes, a secure data wiping and IT recycling service ensures that all confidential data is removed from IT equipment and complies with the BS EN 15713 security shredding standard, before the hardware is recycled responsibly.
In meeting the specifications of the Data Protection Act and other security standards, a comprehensive, end-to-end approach to document and records management can go a long way to supporting the organisation in making it easier for employees to maintain best practice.
Along with information security considerations, moving from paper-dependent processes to electronic data management can control authorised access to data, as well as contributing to more efficient records management. At the same time, for those with multiple sites or employing large numbers of remote workers, electronic document processing will enable faster and easier access to individual records.
For organisations that retain paper copies, the adoption of best practice tools enabling effective storage and rapid retrieval of hard copies offers both a secure and effective way to minimise inefficient paper records management. For example, using a managed, off-site document and data storage facility can help avoid loss or damage due to fire, flood or theft.
Meanwhile, combining lockable cabinets for document disposal alongside a secure shredding service that’s compliant with the BS EN 15713 security shredding standard ensures confidential data such as forms, invoices, letters and employee records do not fall into the wrong hands or become mislaid.
Even the most attentive organisations will never be completely safe from the wide range of security threats the public sector faces. However, by putting the necessary processes in place to support best-practice document and records management, they will reduce the risk of a malicious attack or an unintended error escalating into a costly or damaging data security breach.
Anthony Pearlgood is managing director at PHS Data Solutions